Edit tour

Windows Analysis Report
VmjvNTbD5J.exe

Overview

General Information

Sample name:	VmjvNTbD5J.exe renamed because original name is a hash value
Original sample name:	8ed2ebe94abc2758e4db53c476f8b7a69b5436fe176cba112802990547c5bb24.exe
Analysis ID:	1586717
MD5:	ab660c89d26121d4041874614646fd75
SHA1:	586cb1d772f7f559786f4f5b2420e5ba5806815b
SHA256:	8ed2ebe94abc2758e4db53c476f8b7a69b5436fe176cba112802990547c5bb24
Tags:	exeuser-crep1x
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

VmjvNTbD5J.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\VmjvNTbD5J.exe" MD5: AB660C89D26121D4041874614646FD75)

VmjvNTbD5J.exe (PID: 6404 cmdline: "C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe" -burn.clean.room="C:\Users\user\Desktop\VmjvNTbD5J.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572 MD5: B153C388223577EA044ACA3908BE2935)

WebCopier.exe (PID: 6556 cmdline: C:\Windows\TEMP\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe MD5: E2A27870BA4DA90DF6276C4DA9E3CF82)

WebCopier.exe (PID: 5264 cmdline: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe MD5: E2A27870BA4DA90DF6276C4DA9E3CF82)

cmd.exe (PID: 1456 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EKU_Make_debug_v4.exe (PID: 4548 cmdline: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe MD5: 967F4470627F823F4D7981E511C9824F)

WebCopier.exe (PID: 2364 cmdline: "C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe" MD5: E2A27870BA4DA90DF6276C4DA9E3CF82)

cmd.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EKU_Make_debug_v4.exe (PID: 6284 cmdline: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe MD5: 967F4470627F823F4D7981E511C9824F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WCUtil.dll	ReversingLabs: Detection: 43%
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	ReversingLabs: Detection: 58%
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll	ReversingLabs: Detection: 43%

Multi AV Scanner detection for submitted file

Source: VmjvNTbD5J.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wkvxqcae

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A44CC DecryptFileW,	0_2_00007FF6570A44CC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A4460 DecryptFileW,	0_2_00007FF6570A4460
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E73D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_00007FF6570E73D0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A40C4 DecryptFileW,	0_2_00007FF6570A40C4
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A2D04 CreateFileW,GetLastError,DecryptFileW,CloseHandle,	0_2_00007FF6570A2D04
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A2AEC CreateFileW,GetLastError,DecryptFileW,CloseHandle,	0_2_00007FF6570A2AEC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D544CC DecryptFileW,	1_2_00007FF743D544CC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D54460 DecryptFileW,	1_2_00007FF743D54460
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D973D0 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_00007FF743D973D0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D52D04 CreateFileW,GetLastError,DecryptFileW,CloseHandle,	1_2_00007FF743D52D04
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D52AEC CreateFileW,GetLastError,DecryptFileW,CloseHandle,	1_2_00007FF743D52AEC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D540C4 DecryptFileW,	1_2_00007FF743D540C4
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1000A940 ?IsEncrypted@CZipFileHeader@@QAE_NXZ,	2_2_1000A940
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10006140 ?CryptDecodeBuffer@CZipArchive@@IAEXK@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?CryptDecode@CZipArchive@@IAEXAAD@Z,	2_2_10006140
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005980 ?CryptInitKeys@CZipArchive@@IAEXXZ,?CryptUpdateKeys@CZipArchive@@IAEXD@Z,	2_2_10005980
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_100059D0 ?CryptUpdateKeys@CZipArchive@@IAEXD@Z,?CryptCRC32@CZipArchive@@IAEKKD@Z,?CryptCRC32@CZipArchive@@IAEKKD@Z,	2_2_100059D0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005A30 ?CryptCheck@CZipArchive@@IAE_NXZ,?CryptDecode@CZipArchive@@IAEXAAD@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsDataDescr@CZipFileHeader@@QAE_NXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,	2_2_10005A30
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_100032A0 ?OpenNewFile@CZipArchive@@QAE_NAAVCZipFileHeader@@HPBD@Z,?IsClosed@CZipArchive@@QAE_N_N@Z,?GetNoEntries@CZipArchive@@QAEHXZ,?SetTime@CZipFileHeader@@QAEXABJ@Z,?SetFileHeaderAttr@CZipArchive@@QAEXAAVCZipFileHeader@@K@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?GetFileName@CZipFileHeader@@QAE?AVCZipString@@XZ,?GetNoEntries@CZipArchive@@QAEHXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?SetFileName@CZipFileHeader@@QAE_NPBD@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsDirectory@CZipFileHeader@@QAE_NXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?PrepareData@CZipFileHeader@@IAE_NH_N0@Z,?ThrowError@CZipArchive@@IAEXH_N@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?WriteLocal@CZipFileHeader@@IAEXAAVCZipStorage@@@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?SetFileName@CZipFileHeader@@QAE_NPBD@Z,?CryptCryptHeader@CZipArchive@@IAEXJAAVCZipAutoBuffer@@@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CheckForError@CZipArchive@@IAEXH@Z,	2_2_100032A0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_100042F0 ?WriteNewFile@CZipArchive@@QAE_NPBXK@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CryptEncodeBuffer@CZipArchive@@IAEXXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CheckForError@CZipArchive@@IAEXH@Z,	2_2_100042F0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005B00 ?CryptDecryptByte@CZipArchive@@IAEDXZ,	2_2_10005B00
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005B20 ?CryptDecode@CZipArchive@@IAEXAAD@Z,?CryptDecryptByte@CZipArchive@@IAEDXZ,?CryptUpdateKeys@CZipArchive@@IAEXD@Z,	2_2_10005B20
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10008350 CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?GetCrcAndSizes@CZipFileHeader@@IAEXPAD@Z,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,	2_2_10008350
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10002BC0 ?OpenFile@CZipArchive@@QAE_NG@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?CryptInitKeys@CZipArchive@@IAEXXZ,?CryptCheck@CZipArchive@@IAE_NXZ,?ThrowError@CZipArchive@@IAEXH_N@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?ThrowError@CZipArchive@@IAEXH_N@Z,?CheckForError@CZipArchive@@IAEXH@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,	2_2_10002BC0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10004410 ?CloseNewFile@CZipArchive@@QAE_NXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CryptEncodeBuffer@CZipArchive@@IAEXXZ,?CheckForError@CZipArchive@@IAEXH@Z,?CryptEncodeBuffer@CZipArchive@@IAEXXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CheckForError@CZipArchive@@IAEXH@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?EmptyPtrList@CZipArchive@@IAEXXZ,	2_2_10004410
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005C70 ?CryptCRC32@CZipArchive@@IAEKKD@Z,	2_2_10005C70
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005CA0 ?CryptCryptHeader@CZipArchive@@IAEXJAAVCZipAutoBuffer@@@Z,?CryptInitKeys@CZipArchive@@IAEXXZ,GetTickCount,_rand,?CryptEncode@CZipArchive@@IAEXAAD@Z,?CryptEncode@CZipArchive@@IAEXAAD@Z,?CryptEncode@CZipArchive@@IAEXAAD@Z,	2_2_10005CA0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10007D40 ?IsEncrypted@CZipFileHeader@@QAE_NXZ,?IsDataDescr@CZipFileHeader@@QAE_NXZ,?GetCrcAndSizes@CZipFileHeader@@IAEXPAD@Z,	2_2_10007D40
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005D50 ?CryptEncode@CZipArchive@@IAEXAAD@Z,?CryptDecryptByte@CZipArchive@@IAEDXZ,?CryptUpdateKeys@CZipArchive@@IAEXD@Z,	2_2_10005D50
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005D80 ?CryptEncodeBuffer@CZipArchive@@IAEXXZ,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?CryptEncode@CZipArchive@@IAEXAAD@Z,	2_2_10005D80
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10005DF0 ?TestFile@CZipArchive@@QAE_NGP6A_NKHPAX@Z0K@Z,?IsDirectory@CZipFileHeader@@QAE_NXZ,?IsEncrypted@CZipFileHeader@@QAE_NXZ,?OpenFile@CZipArchive@@QAE_NG@Z,?ReadFile@CZipArchive@@QAEKPAXK@Z,?CloseFile@CZipArchive@@QAEHPBD_N@Z,	2_2_10005DF0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10002E60 ?ReadFile@CZipArchive@@QAEKPAXK@Z,?CryptDecodeBuffer@CZipArchive@@IAEXK@Z,?CurrentFile@CZipArchive@@IAEPAVCZipFileHeader@@XZ,?CheckForError@CZipArchive@@IAEXH@Z,	2_2_10002E60

Source: VmjvNTbD5J.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb source: VmjvNTbD5J.exe, 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000000.00000000.1693692850.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000001.00000000.1697941753.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710365841.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\My_Programs\WebCopier\Exe\V7_0\WebCopier.pdb source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: ntdll.pdb source: EKU_Make_debug_v4.exe, 0000000A.00000002.2185596688.0000000006A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2178847576.000000000462F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186419661.000000000702C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182446383.0000000005228000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2175450883.000000000422A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185253552.0000000006821000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171438595.00000000021F0000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181840298.000000000502A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173934671.0000000003E23000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186593183.0000000007222000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181085897.0000000004C28000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184623744.000000000622C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180279258.0000000004826000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182660620.000000000542A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182922173.0000000005622000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2174714716.0000000004021000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183634766.0000000005C2D000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184843291.0000000006421000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185036487.0000000006625000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184382020.0000000006027000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183952347.0000000005E2F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2176677960.0000000004422000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183417000.0000000005A22000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181375338.0000000004E27000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2172137517.0000000002B50000.00000004.00001000.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180777683.0000000004A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173093052.0000000003C20000.00000004.00000001.00020000.
Source:	Binary string: wntdll.pdbUGP source: WebCopier.exe, 00000002.00000002.1735052890.000000000A1F0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1734636498.0000000009E93000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791553537.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1792072568.000000000A41C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791805101.000000000A060000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060886824.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060276332.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172580985.000000000A48C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172253484.000000000A0D0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172084559.0000000009D7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2341007872.0000000005710000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340383993.0000000004E5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: EKU_Make_debug_v4.exe, 0000000A.00000002.2185596688.0000000006A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2178847576.000000000462F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186419661.000000000702C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182446383.0000000005228000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2175450883.000000000422A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185253552.0000000006821000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171438595.00000000021F0000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181840298.000000000502A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173934671.0000000003E23000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186593183.0000000007222000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181085897.0000000004C28000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184623744.000000000622C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180279258.0000000004826000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182660620.000000000542A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182922173.0000000005622000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2174714716.0000000004021000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183634766.0000000005C2D000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184843291.0000000006421000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185036487.0000000006625000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184382020.0000000006027000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183952347.0000000005E2F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2176677960.0000000004422000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183417000.0000000005A22000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181375338.0000000004E27000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2172137517.0000000002B50000.00000004.00001000.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180777683.0000000004A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173093052.0000000003C20000.00000004.00000001.000200
Source:	Binary string: wntdll.pdb source: WebCopier.exe, 00000002.00000002.1735052890.000000000A1F0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1734636498.0000000009E93000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791553537.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1792072568.000000000A41C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791805101.000000000A060000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060886824.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060276332.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172580985.000000000A48C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172253484.000000000A0D0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172084559.0000000009D7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2341007872.0000000005710000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340383993.0000000004E5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb2 source: VmjvNTbD5J.exe, 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000000.00000000.1693692850.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000001.00000000.1697941753.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710365841.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: f:\cb\11x_main\producers\distiller\products\adobe\plugins\rndrng\wxp\objfre_wnet_amd64\amd64\AdReGP.pdb source: VmjvNTbD5J.exe, VmjvNTbD5J.exe, 00000001.00000002.1707086793.0000000066711000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570872AC GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00007FF6570872AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DE914 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6570DE914
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570F2798 FindFirstFileW,FindClose,	0_2_00007FF6570F2798
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A3CF8 FindFirstFileW,FindNextFileW,FindClose,	0_2_00007FF6570A3CF8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D372AC GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00007FF743D372AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8E914 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF743D8E914
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DA2798 FindFirstFileW,FindClose,	1_2_00007FF743DA2798
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D53CF8 FindFirstFileW,FindNextFileW,FindClose,	1_2_00007FF743D53CF8
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_100145C2 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	2_2_100145C2
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,	10_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,	10_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_000000014000D848 GetLogicalDriveStringsW,GetDlgItem,GetDriveTypeW,_cwprintf_s_l,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetSpecialFolderPathW,lstrlenW,SHGetSpecialFolderPathW,lstrlenW,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,RegOpenKeyExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,SendMessageW,SendMessageW,SendMessageW,RegCloseKey,

10_2_000000014000D848

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 4x nop then push esi		2_2_10004AB0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 4x nop then push ecx		2_2_10004D80

Source: global traffic

TCP traffic: 192.168.2.4:61227 -> 162.159.36.2:53

Source: unknown

DNS traffic detected: query: plerukilo0.site replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp

String found in binary or memory: https://www.youtube.com/watch?v=******* equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: plerukilo0.site

Source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: ftp://Welcome.htm_WCerror
Source: VmjvNTbD5J.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=305594530Khttp://itunes.apple.com/
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: VmjvNTbD5J.exe, 00000000.00000003.1694764990.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1712279272.000002BC4E4D0000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694915894.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1712493671.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694915894.000002BC4CABE000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1710904366.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694875001.000002BC4CABE000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694764990.000002BC4CAC7000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710123901.00000229D6AD0000.00000004.00000800.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1709825331.00000229D6810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/v4/2008/Burn
Source: VmjvNTbD5J.exe, 00000001.00000002.1710123901.00000229D6AD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/v4/2008/BurnH
Source: VmjvNTbD5J.exe, 00000000.00000003.1711503150.000002BC4EC58000.00000004.00000800.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1711479523.000002BC4EC59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/v4/2008/Burnp
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/v4/BootstrapperApplicationData
Source: VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/v4/BundleExtensionData
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.???.xx/?search=%s
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: WebCopier.exe, 00000002.00000002.1733072531.000000000981B000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.0000000009753000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.0000000005421000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.00000000025F6000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/downloads/
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/index_buy.html
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/index_skins.html
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/index_support.html7
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/index_support.htmlgClick
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/index_transl.html
Source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/products/wc/tour_win_iet.htm
Source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/products/wc/tour_win_nt.htm
Source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/products/wc/tour_win_t.htm
Source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.maximumsoft.com/products/wc/tour_win_t.htmhttp://www.maximumsoft.com/products/wc/tour_win
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.com
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.softwareok.de
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.surfok.de/
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155393234.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2153993076.0000000000493000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2153993076.0000000000493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/$y
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/I
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2158291459.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2158447139.0000000000494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/I8yZ
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2160391132.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.0000000000495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/J
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/Ky
Source: EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/U
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/V
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/Wy
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/Xyz
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.000000000042C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/d
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2162238370.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161989373.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/dy~
Source: EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietes
Source: EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietes0$
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietes6z
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39OAnqM
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietesGHz
Source: EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietesQ
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/proprietesS
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.0000000000495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/py
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2158291459.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155475609.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2158447139.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155617581.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site/ty
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2165586598.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161959109.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2163736974.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2167947962.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2166390533.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2163861233.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2167818938.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2435323872.000000000055E000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.000000000042C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39O
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:4436N
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2166390533.00000000004AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443G
Source: EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443X
Source: EKU_Make_debug_v4.exe, 0000000A.00000003.2161959109.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161832944.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2160051819.00000000004B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://plerukilo0.site:443x
Source: VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

10_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_0000000140007860 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SetClipboardData,CloseClipboard,

10_2_0000000140007860

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_0000000140007274 GetDlgItem,GetDlgItem,GetWindowRect,ScreenToClient,ScreenToClient,GetClientRect,CreateDIBSection,GetDC,CreateCompatibleDC,SelectObject,SelectObject,ReleaseDC,SendMessageW,

10_2_0000000140007274

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_00000001400038A8 KillTimer,GetAsyncKeyState,SetTimer,

10_2_00000001400038A8

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_000000014011FF38 CreateFileW,malloc,ReadFile,NtClose,

10_2_000000014011FF38

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

File deleted: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657089464	0_2_00007FF657089464
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657090238	0_2_00007FF657090238
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570872AC	0_2_00007FF6570872AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657084D48	0_2_00007FF657084D48
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657089C84	0_2_00007FF657089C84
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF65709EB98	0_2_00007FF65709EB98
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A1BE0	0_2_00007FF6570A1BE0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570F58AC	0_2_00007FF6570F58AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D88D4	0_2_00007FF6570D88D4
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DE914	0_2_00007FF6570DE914
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DD77C	0_2_00007FF6570DD77C
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570C37AC	0_2_00007FF6570C37AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570947F8	0_2_00007FF6570947F8
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E1830	0_2_00007FF6570E1830
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D86C8	0_2_00007FF6570D86C8
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF65709C5C8	0_2_00007FF65709C5C8
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D94A0	0_2_00007FF6570D94A0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D84BC	0_2_00007FF6570D84BC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570FC364	0_2_00007FF6570FC364
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570B93B4	0_2_00007FF6570B93B4
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570FA3AC	0_2_00007FF6570FA3AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E6398	0_2_00007FF6570E6398
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E73D0	0_2_00007FF6570E73D0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570AB24C	0_2_00007FF6570AB24C
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657092284	0_2_00007FF657092284
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF65708B140	0_2_00007FF65708B140
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570B8180	0_2_00007FF6570B8180
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570C8184	0_2_00007FF6570C8184
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570BF1E4	0_2_00007FF6570BF1E4
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF65709B068	0_2_00007FF65709B068
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570CA0F0	0_2_00007FF6570CA0F0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DD0FC	0_2_00007FF6570DD0FC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570C2E38	0_2_00007FF6570C2E38
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D2E58	0_2_00007FF6570D2E58
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570F1ED0	0_2_00007FF6570F1ED0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570CAEF0	0_2_00007FF6570CAEF0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570BCD54	0_2_00007FF6570BCD54
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657087D60	0_2_00007FF657087D60
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DCC68	0_2_00007FF6570DCC68
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E1CCC	0_2_00007FF6570E1CCC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570B7D10	0_2_00007FF6570B7D10
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570F7D00	0_2_00007FF6570F7D00
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570BFC30	0_2_00007FF6570BFC30
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570BDC20	0_2_00007FF6570BDC20
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF657099C1C	0_2_00007FF657099C1C
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570FAA50	0_2_00007FF6570FAA50
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570BBA3C	0_2_00007FF6570BBA3C
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DBA80	0_2_00007FF6570DBA80
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570CEAC0	0_2_00007FF6570CEAC0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570EB9E0	0_2_00007FF6570EB9E0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_66712230	1_2_66712230
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_667158FC	1_2_667158FC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_667140D4	1_2_667140D4
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_667136C8	1_2_667136C8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D39464	1_2_00007FF743D39464
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D40238	1_2_00007FF743D40238
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D39C84	1_2_00007FF743D39C84
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D4EB98	1_2_00007FF743D4EB98
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D34D48	1_2_00007FF743D34D48
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D884BC	1_2_00007FF743D884BC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D894A0	1_2_00007FF743D894A0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D973D0	1_2_00007FF743D973D0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D96398	1_2_00007FF743D96398
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D693B4	1_2_00007FF743D693B4
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DAA3AC	1_2_00007FF743DAA3AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DAC364	1_2_00007FF743DAC364
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D372AC	1_2_00007FF743D372AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D42284	1_2_00007FF743D42284
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D5B24C	1_2_00007FF743D5B24C
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D6F1E4	1_2_00007FF743D6F1E4
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D78184	1_2_00007FF743D78184
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D68180	1_2_00007FF743D68180
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D3B140	1_2_00007FF743D3B140
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8E914	1_2_00007FF743D8E914
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D888D4	1_2_00007FF743D888D4
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DA58AC	1_2_00007FF743DA58AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D91830	1_2_00007FF743D91830
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D447F8	1_2_00007FF743D447F8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D737AC	1_2_00007FF743D737AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8D77C	1_2_00007FF743D8D77C
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D886C8	1_2_00007FF743D886C8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D4C5C8	1_2_00007FF743D4C5C8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DA7D00	1_2_00007FF743DA7D00
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D67D10	1_2_00007FF743D67D10
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D91CCC	1_2_00007FF743D91CCC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8CC68	1_2_00007FF743D8CC68
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D49C1C	1_2_00007FF743D49C1C
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D6DC20	1_2_00007FF743D6DC20
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D6FC30	1_2_00007FF743D6FC30
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D51BE0	1_2_00007FF743D51BE0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D7EAC0	1_2_00007FF743D7EAC0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8BA80	1_2_00007FF743D8BA80
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D6BA3C	1_2_00007FF743D6BA3C
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DAAA50	1_2_00007FF743DAAA50
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D9B9E0	1_2_00007FF743D9B9E0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8D0FC	1_2_00007FF743D8D0FC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D7A0F0	1_2_00007FF743D7A0F0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D4B068	1_2_00007FF743D4B068
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D7AEF0	1_2_00007FF743D7AEF0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DA1ED0	1_2_00007FF743DA1ED0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D82E58	1_2_00007FF743D82E58
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D72E38	1_2_00007FF743D72E38
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D37D60	1_2_00007FF743D37D60
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D6CD54	1_2_00007FF743D6CD54
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10010090	2_2_10010090
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1000D900	2_2_1000D900
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10011180	2_2_10011180
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1000FA1E	2_2_1000FA1E
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10016A98	2_2_10016A98
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1001F3B7	2_2_1001F3B7
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1000DDC0	2_2_1000DDC0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10011DD0	2_2_10011DD0
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10012E10	2_2_10012E10
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10011700	2_2_10011700
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10013F40	2_2_10013F40
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1000F7CE	2_2_1000F7CE
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000BFFC	10_2_000000014000BFFC
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001D000	10_2_000000014001D000
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000B824	10_2_000000014000B824
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014002F838	10_2_000000014002F838
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000D848	10_2_000000014000D848
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140021068	10_2_0000000140021068
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000909C	10_2_000000014000909C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400238F8	10_2_00000001400238F8
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001A9B8	10_2_000000014001A9B8
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400041C8	10_2_00000001400041C8
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400231CC	10_2_00000001400231CC
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140021A00	10_2_0000000140021A00
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000E214	10_2_000000014000E214
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140024A78	10_2_0000000140024A78
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001F2A4	10_2_000000014001F2A4
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000A378	10_2_000000014000A378
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140122B98	10_2_0000000140122B98
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140013390	10_2_0000000140013390
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140020BB8	10_2_0000000140020BB8
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140001424	10_2_0000000140001424
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140008C3C	10_2_0000000140008C3C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140005450	10_2_0000000140005450
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000D458	10_2_000000014000D458
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014011B450	10_2_000000014011B450
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001048C	10_2_000000014001048C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400EE4C4	10_2_00000001400EE4C4
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400FC53C	10_2_00000001400FC53C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000A5E0	10_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140022E30	10_2_0000000140022E30
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014002267C	10_2_000000014002267C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001AE88	10_2_000000014001AE88
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140011EF4	10_2_0000000140011EF4
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00000001400FF714	10_2_00000001400FF714
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001DF44	10_2_000000014001DF44
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140040F48	10_2_0000000140040F48
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140018790	10_2_0000000140018790
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637506780	10_2_00007FF637506780
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637491E70	10_2_00007FF637491E70
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637492670	10_2_00007FF637492670
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748C580	10_2_00007FF63748C580
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748AD40	10_2_00007FF63748AD40
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637484450	10_2_00007FF637484450
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748F530	10_2_00007FF63748F530
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748CCF0	10_2_00007FF63748CCF0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637594B60	10_2_00007FF637594B60
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748B360	10_2_00007FF63748B360
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637506A60	10_2_00007FF637506A60
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637488080	10_2_00007FF637488080
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637484040	10_2_00007FF637484040
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D3110	10_2_00007FF6374D3110
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374826A0	10_2_00007FF6374826A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637506120	10_2_00007FF637506120
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374888D0	10_2_00007FF6374888D0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374848F0	10_2_00007FF6374848F0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637489CD0	10_2_00007FF637489CD0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6375948D0	10_2_00007FF6375948D0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374C0F90	10_2_00007FF6374C0F90
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637503750	10_2_00007FF637503750
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374ADF40	10_2_00007FF6374ADF40
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637488740	10_2_00007FF637488740
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637488FD0	10_2_00007FF637488FD0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637505E90	10_2_00007FF637505E90
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748BE80	10_2_00007FF63748BE80
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6376146A0	10_2_00007FF6376146A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748F6A0	10_2_00007FF63748F6A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637594E90	10_2_00007FF637594E90
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D5EA0	10_2_00007FF6374D5EA0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374826A0	10_2_00007FF6374826A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637486E40	10_2_00007FF637486E40
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748CCF0	10_2_00007FF63748CCF0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748A710	10_2_00007FF63748A710
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637487F30	10_2_00007FF637487F30
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374826A0	10_2_00007FF6374826A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374C0580	10_2_00007FF6374C0580
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374895A0	10_2_00007FF6374895A0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D2D40	10_2_00007FF6374D2D40
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637492E30	10_2_00007FF637492E30
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748DC80	10_2_00007FF63748DC80
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374875E0	10_2_00007FF6374875E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637506490	10_2_00007FF637506490
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D6490	10_2_00007FF6374D6490
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748DC80	10_2_00007FF63748DC80
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374C0CB0	10_2_00007FF6374C0CB0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637584C70	10_2_00007FF637584C70
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374BE510	10_2_00007FF6374BE510
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637484450	10_2_00007FF637484450
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637490D00	10_2_00007FF637490D00
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637489CD0	10_2_00007FF637489CD0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6375844E0	10_2_00007FF6375844E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748A3B0	10_2_00007FF63748A3B0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637492340	10_2_00007FF637492340
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637481B3A	10_2_00007FF637481B3A
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637481B3A	10_2_00007FF637481B3A
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374ABB70	10_2_00007FF6374ABB70
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637481360	10_2_00007FF637481360
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637487C00	10_2_00007FF637487C00
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748D3E0	10_2_00007FF63748D3E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6375A13D0	10_2_00007FF6375A13D0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748DA90	10_2_00007FF63748DA90
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374899D0	10_2_00007FF6374899D0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374892B0	10_2_00007FF6374892B0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637558292	10_2_00007FF637558292
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637486E40	10_2_00007FF637486E40
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637534240	10_2_00007FF637534240
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637481B06	10_2_00007FF637481B06
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637488300	10_2_00007FF637488300
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748EAFC	10_2_00007FF63748EAFC
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374AB2F0	10_2_00007FF6374AB2F0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF63748FAE0	10_2_00007FF63748FAE0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D29B0	10_2_00007FF6374D29B0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637484140	10_2_00007FF637484140
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374D6200	10_2_00007FF6374D6200
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374899D0	10_2_00007FF6374899D0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374879C8	10_2_00007FF6374879C8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: String function: 00007FF6570812B4 appears 394 times
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: String function: 00007FF6570812B0 appears 359 times
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: String function: 00007FF6570831DC appears 50 times
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: String function: 00007FF65708C0C0 appears 65 times
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: String function: 00007FF6570EE988 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: String function: 00007FF63748F6A0 appears 51 times
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: String function: 00007FF743D312B4 appears 394 times
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: String function: 00007FF743D9E988 appears 89 times
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: String function: 00007FF743D312B0 appears 359 times
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: String function: 00007FF743D331DC appears 50 times
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: String function: 00007FF743D3C0C0 appears 65 times

Source: EKU_Make_debug_v4.exe.4.dr

Static PE information: Resource name: ZIP type: Zip archive data (empty)

Source: wkvxqcae.4.dr

Static PE information: Number of sections : 12 > 10

Source: VmjvNTbD5J.exe	Binary or memory string: OriginalFilename vs VmjvNTbD5J.exe
Source: VmjvNTbD5J.exe, 00000000.00000000.1693852223.00007FF657140000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamethresh.exe8 vs VmjvNTbD5J.exe
Source: VmjvNTbD5J.exe	Binary or memory string: OriginalFilename vs VmjvNTbD5J.exe
Source: VmjvNTbD5J.exe, 00000001.00000002.1707165908.0000000066719000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameADREGP.DLLV vs VmjvNTbD5J.exe
Source: VmjvNTbD5J.exe, 00000001.00000002.1710481958.00007FF743DF0000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamethresh.exe8 vs VmjvNTbD5J.exe

Source: classification engine

Classification label: mal84.evad.winEXE@18/20@2/0

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570E7928 FormatMessageW,GetLastError,LocalFree,

0_2_00007FF6570E7928

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E8F38 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,		0_2_00007FF6570E8F38
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D98F38 LookupPrivilegeValueW,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,		1_2_00007FF743D98F38

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

Code function: 2_2_1000B320 GetDiskFreeSpaceA,

2_2_1000B320

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570EE4B8 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_00007FF6570EE4B8

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570F6D00 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,

0_2_00007FF6570F6D00

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570C3D48 ChangeServiceConfigW,GetLastError,

0_2_00007FF6570C3D48

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

File created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3164:120:WilError_03

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

File created: C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.cleanroom.log

Jump to behavior

Source: VmjvNTbD5J.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\cmd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VmjvNTbD5J.exe

ReversingLabs: Detection: 47%

Source: VmjvNTbD5J.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VmjvNTbD5J.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: EKU_Make_debug_v4.exe	String found in binary or memory: -install -runas
Source: EKU_Make_debug_v4.exe	String found in binary or memory: -install
Source: EKU_Make_debug_v4.exe	String found in binary or memory: -install -nolisense

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

File read: C:\Users\user\Desktop\VmjvNTbD5J.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VmjvNTbD5J.exe "C:\Users\user\Desktop\VmjvNTbD5J.exe"
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Process created: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe "C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe" -burn.clean.room="C:\Users\user\Desktop\VmjvNTbD5J.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Process created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe C:\Windows\TEMP\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Process created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe "C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe"
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Process created: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe "C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe" -burn.clean.room="C:\Users\user\Desktop\VmjvNTbD5J.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Process created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe C:\Windows\TEMP\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Process created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: wcutil.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wcutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wcutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: toxpkftoidctr.4.dr

LNK file: ..\..\Roaming\ChromeQuick_DVBv5\WebCopier.exe

Source: VmjvNTbD5J.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: VmjvNTbD5J.exe

Static file information: File size 7884295 > 1048576

Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VmjvNTbD5J.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VmjvNTbD5J.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: VmjvNTbD5J.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb source: VmjvNTbD5J.exe, 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000000.00000000.1693692850.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000001.00000000.1697941753.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710365841.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\My_Programs\WebCopier\Exe\V7_0\WebCopier.pdb source: WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: ntdll.pdb source: EKU_Make_debug_v4.exe, 0000000A.00000002.2185596688.0000000006A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2178847576.000000000462F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186419661.000000000702C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182446383.0000000005228000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2175450883.000000000422A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185253552.0000000006821000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171438595.00000000021F0000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181840298.000000000502A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173934671.0000000003E23000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186593183.0000000007222000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181085897.0000000004C28000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184623744.000000000622C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180279258.0000000004826000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182660620.000000000542A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182922173.0000000005622000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2174714716.0000000004021000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183634766.0000000005C2D000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184843291.0000000006421000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185036487.0000000006625000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184382020.0000000006027000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183952347.0000000005E2F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2176677960.0000000004422000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183417000.0000000005A22000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181375338.0000000004E27000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2172137517.0000000002B50000.00000004.00001000.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180777683.0000000004A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173093052.0000000003C20000.00000004.00000001.00020000.
Source:	Binary string: wntdll.pdbUGP source: WebCopier.exe, 00000002.00000002.1735052890.000000000A1F0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1734636498.0000000009E93000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791553537.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1792072568.000000000A41C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791805101.000000000A060000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060886824.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060276332.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172580985.000000000A48C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172253484.000000000A0D0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172084559.0000000009D7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2341007872.0000000005710000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340383993.0000000004E5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: EKU_Make_debug_v4.exe, 0000000A.00000002.2185596688.0000000006A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2178847576.000000000462F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186419661.000000000702C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182446383.0000000005228000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2175450883.000000000422A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185253552.0000000006821000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171438595.00000000021F0000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181840298.000000000502A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173934671.0000000003E23000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2186593183.0000000007222000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181085897.0000000004C28000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184623744.000000000622C000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180279258.0000000004826000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182660620.000000000542A000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2182922173.0000000005622000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2174714716.0000000004021000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183634766.0000000005C2D000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184843291.0000000006421000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2185036487.0000000006625000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2184382020.0000000006027000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183952347.0000000005E2F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2176677960.0000000004422000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2183417000.0000000005A22000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2181375338.0000000004E27000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2172137517.0000000002B50000.00000004.00001000.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2180777683.0000000004A20000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2173093052.0000000003C20000.00000004.00000001.000200
Source:	Binary string: wntdll.pdb source: WebCopier.exe, 00000002.00000002.1735052890.000000000A1F0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1734636498.0000000009E93000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791553537.0000000009CC5000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1792072568.000000000A41C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791805101.000000000A060000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060886824.0000000005980000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060276332.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172580985.000000000A48C000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172253484.000000000A0D0000.00000004.00000800.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2172084559.0000000009D7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2341007872.0000000005710000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340383993.0000000004E5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\wix4\wix4\build\burn\Release\x64\burn.pdb2 source: VmjvNTbD5J.exe, 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000000.00000000.1693692850.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmp, VmjvNTbD5J.exe, 00000001.00000000.1697941753.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710365841.00007FF743DAF000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: f:\cb\11x_main\producers\distiller\products\adobe\plugins\rndrng\wxp\objfre_wnet_amd64\amd64\AdReGP.pdb source: VmjvNTbD5J.exe, VmjvNTbD5J.exe, 00000001.00000002.1707086793.0000000066711000.00000020.00000001.01000000.00000006.sdmp

Source: VmjvNTbD5J.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VmjvNTbD5J.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VmjvNTbD5J.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VmjvNTbD5J.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VmjvNTbD5J.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

Code function: 2_2_1001AA2F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_1001AA2F

Source: Pedlary.dll.1.dr	Static PE information: real checksum: 0xd3c8 should be: 0x10a4a
Source: WCUtil.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x2dc11
Source: WCUtil.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2dc11
Source: VmjvNTbD5J.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x778cbb
Source: VmjvNTbD5J.exe	Static PE information: real checksum: 0x0 should be: 0x78600c
Source: wkvxqcae.4.dr	Static PE information: real checksum: 0x269089 should be: 0x273aaf

Source: VmjvNTbD5J.exe	Static PE information: section name: .didat
Source: VmjvNTbD5J.exe	Static PE information: section name: .wixburn
Source: VmjvNTbD5J.exe	Static PE information: section name: _RDATA
Source: VmjvNTbD5J.exe.0.dr	Static PE information: section name: .didat
Source: VmjvNTbD5J.exe.0.dr	Static PE information: section name: .wixburn
Source: VmjvNTbD5J.exe.0.dr	Static PE information: section name: _RDATA
Source: EKU_Make_debug_v4.exe.4.dr	Static PE information: section name: Shared
Source: wkvxqcae.4.dr	Static PE information: section name: .xdata
Source: wkvxqcae.4.dr	Static PE information: section name: epj

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1001AA00 push eax; ret	2_2_1001AA2E
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_1001E714 push eax; ret	2_2_1001E732
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001282D push 8B480014h; retf	10_2_0000000140012832
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014001D949 push rsp; ret	10_2_000000014001D94B
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140013D4C pushfq ; ret	10_2_0000000140013D4D
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140013DE5 pushfq ; ret	10_2_0000000140013DE6
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140013F26 pushfq ; ret	10_2_0000000140013F27
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637488740 push rax; retf	10_2_00007FF6374888C3
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637483805 push rax; retf	10_2_00007FF637483806
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637483817 push rax; retf	10_2_00007FF637483818
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637483FDD push rdx; retf	10_2_00007FF637483FDE
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374815EA push rax; retf	10_2_00007FF6374823F2
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF637486C6A push FFFFFFEAh; iretd	10_2_00007FF637486C6D

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	File created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Jump to dropped file
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll	Jump to dropped file
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yirxmaoe	Jump to dropped file
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	File created: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WCUtil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\wkvxqcae	Jump to dropped file
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Jump to dropped file

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll	Jump to dropped file
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll	Jump to dropped file
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	File created: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\wkvxqcae			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\yirxmaoe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_00000001400853D4 GetPrivateProfileStringW,lstrlenW,

10_2_00000001400853D4

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WKVXQCAE
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\YIRXMAOE

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	API/Special instruction interceptor: Address: 6CD57C44
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	API/Special instruction interceptor: Address: 6CD57C44
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	API/Special instruction interceptor: Address: 6CD57945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CD53B54

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Dropped PE file which has not been started: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yirxmaoe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wkvxqcae	Jump to dropped file

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Evaded block: after key decision

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	API coverage: 2.9 %
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	API coverage: 1.5 %

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe TID: 6388	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe TID: 4868	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe TID: 5472	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E7A38 GetLocalTime followed by cmp: cmp esi, 05h and CTI: je 00007FF6570E7AFAh	0_2_00007FF6570E7A38
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570E7A38 GetLocalTime followed by cmp: cmp esi, 01h and CTI: je 00007FF6570E7AF1h	0_2_00007FF6570E7A38
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D97A38 GetLocalTime followed by cmp: cmp esi, 05h and CTI: je 00007FF743D97AFAh	1_2_00007FF743D97A38
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D97A38 GetLocalTime followed by cmp: cmp esi, 01h and CTI: je 00007FF743D97AF1h	1_2_00007FF743D97A38

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570872AC GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00007FF6570872AC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DE914 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6570DE914
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570F2798 FindFirstFileW,FindClose,	0_2_00007FF6570F2798
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570A3CF8 FindFirstFileW,FindNextFileW,FindClose,	0_2_00007FF6570A3CF8
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D372AC GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,GetLastError,DeleteFileW,MoveFileExW,MoveFileExW,GetLastError,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00007FF743D372AC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8E914 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF743D8E914
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743DA2798 FindFirstFileW,FindClose,	1_2_00007FF743DA2798
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D53CF8 FindFirstFileW,FindNextFileW,FindClose,	1_2_00007FF743D53CF8
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_100145C2 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,	2_2_100145C2
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_000000014000A5E0 GetDlgItem,SendMessageW,SendMessageW,SendMessageW,wsprintfW,GetClientRect,SendMessageW,FindFirstFileW,lstrlenW,SendMessageW,FindNextFileW,FindClose,	10_2_000000014000A5E0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_0000000140007628 FindClose,lstrlenW,lstrcpyW,FindFirstFileW,GetFullPathNameW,FindClose,SetLastError,lstrlenW,	10_2_0000000140007628

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

10_2_000000014000D848

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570FDEE0 VirtualQuery,GetSystemInfo,

0_2_00007FF6570FDEE0

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: aihgfs
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.000000000042C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570DA42C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6570DA42C

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

Code function: 2_2_1001AA2F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_1001AA2F

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF657086A48 GetProcessHeap,RtlFreeHeap,GetLastError,

0_2_00007FF657086A48

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D44D0 SetUnhandledExceptionFilter,	0_2_00007FF6570D44D0
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570DA42C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6570DA42C
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D42EC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6570D42EC
Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Code function: 0_2_00007FF6570D3DE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6570D3DE4
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_66715040 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_66715040
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D844D0 SetUnhandledExceptionFilter,	1_2_00007FF743D844D0
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D8A42C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF743D8A42C
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D842EC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF743D842EC
Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	Code function: 1_2_00007FF743D83DE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF743D83DE4
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10017C4A SetUnhandledExceptionFilter,	2_2_10017C4A
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: 2_2_10017C5C SetUnhandledExceptionFilter,	2_2_10017C5C
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Code function: 10_2_00007FF6374811B5 Sleep,exit,SetUnhandledExceptionFilter,exit,	10_2_00007FF6374811B5

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF654161B3F
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF654074E4D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x14011D93E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF63767D111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63748C691	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtReadFile: Direct from: 0x7FF63751B6F3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63751B65B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtReadVirtualMemory: Direct from: 0x7FF653FF8A4D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF65415F4FC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF653FEFB8D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6541608D8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF65404DF12	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF654001447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	NtProtectVirtualMemory: Direct from: 0x6F843882	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationToken: Direct from: 0x7FF63756AAF2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF654161B4D
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF653FF0043	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221C26A1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF63751B4C9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F64472	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x14011D808	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63756DA4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtMapViewOfSection: Direct from: 0x7FF6541604AA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtOpenKeyEx: Direct from: 0x7FF637539C13	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtMapViewOfSection: Direct from: 0x7FF653F6F65A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF637484472	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationThread: Direct from: 0x7FF65416A237	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF6376808D8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF63753AD3A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF637681B4D
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF63748F65A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF654161B2B
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	NtQuerySystemInformation: Direct from: 0x10002918	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF654000F49	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F6C691	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF637684ECA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF63768BE06	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF65404AAF2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63748AD78	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF65401A1C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF63767F51A
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF654017C4C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F612F8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF637521F2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF65401B100	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FFE221E4B5E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63749208C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF637571304	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF63756DF12	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF637521447	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF637681B2B
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF637510043	Jump to behavior
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF65401A514	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF637520F49	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateThreadEx: Direct from: 0x7FF637484B8B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF63753A1C6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateThreadEx: Direct from: 0x7FF63748484D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63756D07C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F7208C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF6375141C9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF637681B3F
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF65416BD2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF63753B100	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF63767F4FC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtSetInformationProcess: Direct from: 0x7FF654001F2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtReadFile: Direct from: 0x7FF653FFB6F3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653FFB65B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationToken: Direct from: 0x7FF637537C4C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF65415F51A
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF65401AD3A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF654001033	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF63752178F
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF65400178F
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF637521033	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF63751CC67	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	NtProtectVirtualMemory: Direct from: 0x6CCDD3EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F6AD78	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtReadFile: Direct from: 0x14011D832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF63768A237	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtClose: Direct from: 0x7FF65401AAF0
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtOpenKeyEx: Direct from: 0x7FF654019C13	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryInformationProcess: Direct from: 0x7FF654164ECA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x14011D7A4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF653FFB4C9	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF65404D07C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653F71BDE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF63750FB8D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateFile: Direct from: 0x7FF65415D111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF654051304	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtReadVirtualMemory: Direct from: 0x7FF637518A4D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQueryValueKey: Direct from: 0x7FF63753A514	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF6376804AA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x140120A3C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateThreadEx: Direct from: 0x7FF653F6484D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtCreateThreadEx: Direct from: 0x7FF653F64B8B	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtProtectVirtualMemory: Direct from: 0x7FF63768BD2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtAllocateVirtualMemory: Direct from: 0x7FF653FFCC67	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	NtQuerySystemInformation: Direct from: 0x7FF637594E4D	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe base: 28F010	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe base: 14011BC08	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe base: 3F5010	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Code function: 10_2_000000014000BFFC CharLowerW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrcmpiW,lstrcmpW,lstrlenW,GetActiveWindow,GetTempPathW,lstrlenW,GetModuleFileNameW,CopyFileW,MessageBoxW,lstrlenW,ShellExecuteW,GetModuleFileNameW,CharLowerW,lstrlenW,

10_2_000000014000BFFC

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe	Process created: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe "C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe" -burn.clean.room="C:\Users\user\Desktop\VmjvNTbD5J.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570EB9E0 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_00007FF6570EB9E0

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570E8ABC AllocateAndInitializeSid,CheckTokenMembership,

0_2_00007FF6570E8ABC

Source: WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570E5E80 cpuid

0_2_00007FF6570E5E80

Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	2_2_1001D810
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,	2_2_1001D866
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: EnumSystemLocalesA,	2_2_1001C8A8
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	2_2_1001D929
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: EnumSystemLocalesA,	2_2_1001C9BB
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoA,	2_2_1001CBAF
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,	2_2_1001C448
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: EnumSystemLocalesA,	2_2_1001C61D
Source: C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	2_2_1001D753

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570A0488 GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,LocalFree,

0_2_00007FF6570A0488

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF657084D48 GetLocalTime,CreateFileW,GetLastError,Sleep,CloseHandle,

0_2_00007FF657084D48

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF65708AF70 GetUserNameW,GetLastError,

0_2_00007FF65708AF70

Source: C:\Users\user\Desktop\VmjvNTbD5J.exe

Code function: 0_2_00007FF6570FCDF0 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_00007FF6570FCDF0

Source: C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Code function: 1_2_6671447C GetVersion,memset,GetModuleFileNameA,PathRemoveFileSpecA,PathAppendA,??2@YAPEAX_K@Z,GetFileVersionInfoA,VerQueryValueA,??3@YAXPEAX@Z,

1_2_6671447C

Source: C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	4 Native API	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	11 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	11 DLL Side-Loading	3 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	11 DLL Side-Loading	NTDS	146 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 File Deletion	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	213 Process Injection	21 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	213 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VmjvNTbD5J.exe	47%	ReversingLabs	Win64.Trojan.Rugmi

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\wkvxqcae	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WCUtil.dll	43%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe	0%	ReversingLabs
C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe	58%	ReversingLabs	Win64.Trojan.Nekark
C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll	0%	ReversingLabs
C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll	43%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://plerukilo0.site:443G	0%	Avira URL Cloud	safe
https://plerukilo0.site/J	0%	Avira URL Cloud	safe
https://plerukilo0.site:443X	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/products/wc/tour_win_t.htm	0%	Avira URL Cloud	safe
https://plerukilo0.site/$y	0%	Avira URL Cloud	safe
ftp://Welcome.htm_WCerror	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietes0$	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/v4/BootstrapperApplicationData	0%	Avira URL Cloud	safe
https://plerukilo0.site/I	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/v4/2008/BurnH	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://plerukilo0.site/Ky	0%	Avira URL Cloud	safe
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	0%	Avira URL Cloud	safe
https://plerukilo0.site/ty	0%	Avira URL Cloud	safe
https://plerukilo0.site/py	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/products/wc/tour_win_t.htmhttp://www.maximumsoft.com/products/wc/tour_win	0%	Avira URL Cloud	safe
https://plerukilo0.site:443	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/index_buy.html	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/v4/2008/Burn	0%	Avira URL Cloud	safe
https://plerukilo0.site/d	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/downloads/	0%	Avira URL Cloud	safe
https://plerukilo0.site/U	0%	Avira URL Cloud	safe
https://plerukilo0.site:443/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39O	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39OAnqM	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/v4/BundleExtensionData	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietes6z	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/	0%	Avira URL Cloud	safe
https://plerukilo0.site/Wy	0%	Avira URL Cloud	safe
https://plerukilo0.site/V	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/products/wc/tour_win_nt.htm	0%	Avira URL Cloud	safe
http://www.softwareok.de/?Download=Find.Same.Images.OK	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietesQ	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/index_support.htmlgClick	0%	Avira URL Cloud	safe
https://plerukilo0.site/I8yZ	0%	Avira URL Cloud	safe
https://plerukilo0.site/	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietesS	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/index_skins.html	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/index_support.html7	0%	Avira URL Cloud	safe
https://plerukilo0.site/dy~	0%	Avira URL Cloud	safe
https://plerukilo0.site/Xyz	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/products/wc/tour_win_iet.htm	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietes	0%	Avira URL Cloud	safe
http://www.maximumsoft.com/index_transl.html	0%	Avira URL Cloud	safe
https://plerukilo0.site/proprietesGHz	0%	Avira URL Cloud	safe
https://plerukilo0.site:4436N	0%	Avira URL Cloud	safe
http://wixtoolset.org/schemas/v4/2008/Burnp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
plerukilo0.site	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://plerukilo0.site:443X	EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/I	EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false		high
http://ocsp.sectigo.com0	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://plerukilo0.site/J	EKU_Make_debug_v4.exe, 0000000A.00000003.2160391132.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.0000000000495000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/products/wc/tour_win_t.htm	WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Freeware/Find.Same.Images.OK	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false		high
https://plerukilo0.site/proprietes0$	EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/$y	EKU_Make_debug_v4.exe, 0000000A.00000003.2153993076.0000000000493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/v4/2008/BurnH	VmjvNTbD5J.exe, 00000001.00000002.1710123901.00000229D6AD0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
ftp://Welcome.htm_WCerror	WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443G	EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2166390533.00000000004AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://wixtoolset.org/schemas/v4/BootstrapperApplicationData	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/d	EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.000000000042C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/ty	EKU_Make_debug_v4.exe, 0000000A.00000003.2158291459.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155475609.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2158447139.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156860948.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155617581.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2156984811.0000000000494000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443	EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2165586598.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161959109.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2163736974.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2167947962.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2166390533.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2163861233.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2167818938.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2435323872.000000000055E000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://plerukilo0.site/py	EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.0000000000495000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/v4/2008/Burn	VmjvNTbD5J.exe, 00000000.00000003.1694764990.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1712279272.000002BC4E4D0000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694915894.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1712493671.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694915894.000002BC4CABE000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1710904366.000002BC4CB09000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694875001.000002BC4CABE000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1694764990.000002BC4CAC7000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1710123901.00000229D6AD0000.00000004.00000800.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000002.1709825331.00000229D6810000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/Ky	EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/products/wc/tour_win_t.htmhttp://www.maximumsoft.com/products/wc/tour_win	WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/index_buy.html	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/downloads/	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39OAnqM	EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/U	EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:443/proprietes?hnjw3jwgcrj=viecBZ17TbrJ0plncMPhyySmKom8GzHFEOPa51csL1qYzU39O	EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.000000000042C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/V	EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com/?Download=Find.Same.Images.OK	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.maximumsoft.com/	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/Wy	EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/proprietes6z	EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://wixtoolset.org/schemas/v4/BundleExtensionData	VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A39000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/products/wc/tour_win_nt.htm	WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/proprietesQ	EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de/?Download=Find.Same.Images.OK	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.maximumsoft.com/index_support.htmlgClick	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site/I8yZ	EKU_Make_debug_v4.exe, 0000000A.00000003.2158291459.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2158447139.0000000000494000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703106292.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000001.00000003.1703378095.00000229D4A30000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0	EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401F4000.00000002.00000001.01000000.00000010.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2462550571.00000001401F4000.00000002.00000001.01000000.00000010.sdmp	false		high
https://plerukilo0.site/	EKU_Make_debug_v4.exe, 0000000A.00000003.2165775730.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2155393234.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2153993076.0000000000493000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2170891730.0000000000495000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000003.2449329946.0000000000548000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000E.00000002.2449720304.0000000000552000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/proprietesS	EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.???.xx/?search=%s	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plerukilo0.site:443x	EKU_Make_debug_v4.exe, 0000000A.00000003.2161959109.00000000004B1000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161832944.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2160051819.00000000004B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.maximumsoft.com/index_support.html7	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/proprietesGHz	EKU_Make_debug_v4.exe, 0000000A.00000002.2172416660.0000000002D66000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/dy~	EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2162238370.0000000000494000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2161989373.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maximumsoft.com/index_skins.html	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site/proprietes	EKU_Make_debug_v4.exe, 0000000E.00000002.2450928590.0000000002D86000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.maximumsoft.com/products/wc/tour_win_iet.htm	WebCopier.exe, 00000002.00000000.1705010990.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000002.1726654133.000000000078F000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724090947.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 00000003.00000002.1786226646.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105602327.000000000078F000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165697554.000000000078F000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.info-zip.org/	WebCopier.exe, 00000002.00000002.1733072531.000000000981B000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.0000000009753000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.0000000005421000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.00000000025F6000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/watch?v=	WebCopier.exe, 00000002.00000000.1705222146.000000000087D000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000003.00000000.1724311518.000000000087D000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000000.2105703835.000000000087D000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://plerukilo0.site/Xyz	EKU_Make_debug_v4.exe, 0000000A.00000003.2163893352.000000000048D000.00000004.00000020.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000003.2164153156.0000000000494000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.surfok.de/	cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.maximumsoft.com/index_transl.html	VmjvNTbD5J.exe, 00000001.00000003.1702791021.00000229D4A49000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000002.00000002.1727274131.0000000000B12000.00000002.00000001.01000000.00000007.sdmp, WebCopier.exe, 00000002.00000003.1720428781.0000000009D9B000.00000004.00000001.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000000.1724311518.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp, WebCopier.exe, 0000000B.00000002.2165962906.0000000000B12000.00000002.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plerukilo0.site:4436N	EKU_Make_debug_v4.exe, 0000000E.00000003.2448000505.000000000055E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/schemas/v4/2008/Burnp	VmjvNTbD5J.exe, 00000000.00000003.1711503150.000002BC4EC58000.00000004.00000800.00020000.00000000.sdmp, VmjvNTbD5J.exe, 00000000.00000003.1711479523.000002BC4EC59000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.com	WebCopier.exe, 00000002.00000002.1733072531.0000000009871000.00000004.00000020.00020000.00000000.sdmp, WebCopier.exe, 00000003.00000002.1791149490.00000000097A9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2060451900.000000000546A000.00000004.00000800.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2171655764.000000000263F000.00000004.00000001.00020000.00000000.sdmp, EKU_Make_debug_v4.exe, 0000000A.00000002.2187738743.00000001401E0000.00000002.00000001.01000000.00000010.sdmp, WebCopier.exe, 0000000B.00000002.2171490702.00000000096F9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000C.00000002.2340538102.00000000051FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	VmjvNTbD5J.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586717
Start date and time:	2025-01-09 14:42:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VmjvNTbD5J.exe renamed because original name is a hash value
Original Sample Name:	8ed2ebe94abc2758e4db53c476f8b7a69b5436fe176cba112802990547c5bb24.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@18/20@2/0
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 78% Number of executed functions: 63 Number of non-executed functions: 232
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.253.45
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WebCopier.exe, PID 5264 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: VmjvNTbD5J.exe

Simulations

Behavior and APIs

Time	Type	Description
08:43:43	API Interceptor	1x Sleep call for process: VmjvNTbD5J.exe modified
08:44:20	API Interceptor	40x Sleep call for process: EKU_Make_debug_v4.exe modified
08:44:36	API Interceptor	1x Sleep call for process: cmd.exe modified
13:44:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITA0F9.tmp
13:44:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\writercloud_VMX_alpha.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe	8Rmoal0v85.exe	Get hash	malicious	Unknown	Browse
	cLm7ThwEvh.msi	Get hash	malicious	Unknown	Browse
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	w3245.exe	Get hash	malicious	Unknown	Browse
	9mauyKC3JW.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	ATLEQQXO.exe	Get hash	malicious	Unknown	Browse
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6c4cbe36

Download File

Process:	C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
File Type:	data
Category:	dropped
Size (bytes):	5602086
Entropy (8bit):	7.7366034218979856
Encrypted:	false
SSDEEP:	98304:J4pkjdDUo6ETAjMOINsdAC3LA7ZoCgX87ku7bRFhDTR2kGG:aGpDaCcasLA7GCgI7bxDT4hG
MD5:	D5BFB4D12BB1EC3C6891F7E8A15464B1
SHA1:	985392881D104E29F7F3434F6930C4A4317FC4A6
SHA-256:	33DCBD4C2EA8A46E996DB8166F207C4660269AB3D0D828F5A7A9C2C02CDF0496
SHA-512:	955FD26A82FA398A92E2301F2EC8537523E67258BCC697122159A3E2A4E47BF75678F3F566E1304B9C3F8939FB51A1B31B9D831C3C00EF6AD324BC493FEEB8CC
Malicious:	false
Preview:	...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F../F.L~..Lz..Qc/..A5.kZ..d@".z]..yO4.-c#.xr..bI4.`]..yO4.x^F...F...F...F...F...F...F...F...F...F...F...F.bg(.yG'.dT#.u.F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.bm4.lZ#.c]2.cM#...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.Zg..D\|c.@G%.b]).y...Yr..lC#.b\-...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.?.v.8.q.:.F...F...F...F...F...F...F...F...F...F...F

C:\Users\user\AppData\Local\Temp\82eb896d

Download File

Process:	C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
File Type:	data
Category:	dropped
Size (bytes):	5602086
Entropy (8bit):	7.736603497926146
Encrypted:	false
SSDEEP:	98304:Q4pkjdDUo6ETAjMOINsdAC3LA7ZoCgX87ku7bRFhDTR2kGG:HGpDaCcasLA7GCgI7bxDT4hG
MD5:	3DC89E964F8EAA9B3AE9F63B9F8EB01E
SHA1:	03A9156A419D19DC89531AFB1CA7C932854D04A1
SHA-256:	941ECD8C83627CF0105B413ACE268726974511367AEC4830FAEEB381A11DD2C4
SHA-512:	BB72A1378E62C19BD0EEC5A01C3531E3D6F9E87697541F6991E9C49330346633A8F23854566CF42294B5D37E9D39930995DACD60DFAB4BDBA9F2780AB597A179
Malicious:	false
Preview:	...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F../F.L~..Lz..Qc/..A5.kZ..d@".z]..yO4.-c#.xr..bI4.`]..yO4.x^F...F...F...F...F...F...F...F...F...F...F...F.bg(.yG'.dT#.u.F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.bm4.lZ#.c]2.cM#...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.Zg..D\|c.@G%.b]).y...Yr..lC#.b\-...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F...F.?.v.8.q.:.F...F...F...F...F...F...F...F...F...F...F

C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.cleanroom.log

Download File

Process:	C:\Users\user\Desktop\VmjvNTbD5J.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	732
Entropy (8bit):	5.433071609110206
Encrypted:	false
SSDEEP:	12:PKP7uXNULLWUz+8rXjTyXjBSRcP2EmRKp8ZyXjBSRcP2EWKpGyXjBSRcP2rRKpfV:PYYNwLLz+eXSXscP2wfXscP2MjXscP2O
MD5:	1BB365E03AB49C630AD7725274228680
SHA1:	3EC95BF7018723FF5876A317E6759199363CE8DF
SHA-256:	7B856D5E33CEB8CF3D6D131C1A0C5F517D3321F8B1C48219FB5690B5E02F0A69
SHA-512:	D4E6D2B60EA1175ADCB392FAC69040197C9C2C3122B74F3DB7ED6E7897AB7433AE687DB14ED255FD3225D1DB07071C3E717010435411DA93E77D927B14C280DB
Malicious:	false
Preview:	[18A0:1954][2025-01-09T08:43:41]i001: Burn x64 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Users\user\Desktop\VmjvNTbD5J.exe..[18A0:1954][2025-01-09T08:43:42]i009: Command Line: ''..[18A0:1954][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\VmjvNTbD5J.exe'..[18A0:1954][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[18A0:1954][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.cleanroom.log'..[18A0:1954][2025-01-09T08:43:43]i017: Exit code: 0x0..

C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.log

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1122
Entropy (8bit):	5.480951674033435
Encrypted:	false
SSDEEP:	24:xX1YNwLLzEPXDzwXscP2wYUXscP2MNXscP2Ufe+UXscP2rXscP2EbUXscP2M:xONuEPYzcUz1zhexzwznbUzr
MD5:	6359C861662B4FB88165C33572C1CAE3
SHA1:	3F39210911264FA6221806CA74EFF5E09BECF387
SHA-256:	D33519B339488F5AD122FE939601DAC1EEF29157403DA08D693DD7A123E56F1C
SHA-512:	8C53FFAB4C520492989663A028706447778C8D793969D3FFB48A817CA11F10F9C3115BBA5C557CB3511904D6E226FEFB6405EA54AE6EC18330FCC134C3DE7CCF
Malicious:	false
Preview:	[1904:18F4][2025-01-09T08:43:42]i001: Burn x64 v4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, Windows v10.0 x64 (Build 19045: Service Pack 0), path: C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe..[1904:18F4][2025-01-09T08:43:42]i009: Command Line: '-burn.clean.room=C:\Users\user\Desktop\VmjvNTbD5J.exe -burn.filehandle.attached=564 -burn.filehandle.self=572'..[1904:18F4][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\VmjvNTbD5J.exe'..[1904:18F4][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\Desktop\'..[1904:18F4][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.log'..[1904:18F4][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleInProgressName' to value ''..[1904:18F4][2025-01-09T08:43:42]i000: Setting string variable 'WixBundleName' to valu

C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2364728
Entropy (8bit):	6.606009669324617
Encrypted:	false
SSDEEP:	49152:lbCT2kOGRpfJMi3kLRQrjYgeeZyTDwMHfDYZNBi:TkOKMiY0BZMHfDYZNBi
MD5:	967F4470627F823F4D7981E511C9824F
SHA1:	416501B096DF80DDC49F4144C3832CF2CADB9CB2
SHA-256:	B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
SHA-512:	8883EAD428C9D4B415046DE9F8398AA1F65AE81FE7945A840C822620E18F6F9930CCE2E10ACFF3B5DA8B9C817ADE3DABC1DE576CBD255087267F77341900A41C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8Rmoal0v85.exe, Detection: malicious, Browse Filename: cLm7ThwEvh.msi, Detection: malicious, Browse Filename: LVkAi4PBv6.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: w3245.exe, Detection: malicious, Browse Filename: 9mauyKC3JW.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: ATLEQQXO.exe, Detection: malicious, Browse Filename: upgrade.hta, Detection: malicious, Browse Filename: MiJZ3z4t5K.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:<..To..To..To.:.o..To...o..To.:9o..To.:.o..To.:/o..To..Uoe.To...o\|.To...o..To...o..To...o..ToRich..To................PE..d...^.?e..........#......H.....................@..............................%.....h.$.....................................................XW..,........q...p..$h....#.8)......................................(....................`...............................text...RG.......H.................. ..`.rdata..R/...`...0...L..............@..@.data................\|..............@....pdata..$h...p...j..................@..@Shared...............p..............@....tls.................x..............@....rsrc....q.......r...z..............@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\toxpkftoidctr

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 9 12:43:44 2025, mtime=Thu Jan 9 12:43:45 2025, atime=Sat Dec 28 18:23:52 2024, length=7579704, window=hide
Category:	dropped
Size (bytes):	936
Entropy (8bit):	5.022295924799116
Encrypted:	false
SSDEEP:	12:8ubhH5l1s4N6SWCyuLlddY//Au09SLAWq0NiljEjATmrHU5JICIBGBmV:8SHLXNGI+IqQ0wUAySLTBm
MD5:	B18A89211E70D7DB6A21AD0A9D2CE13B
SHA1:	025634109B1C04946A64C62D2AE6F167D07B16EA
SHA-256:	38ABE947BBC0121971A5705DE9E86A887D16A302ADD01C1A632FEE35353C74EA
SHA-512:	58832DEAA45E860BC0869707324170F9AF8D2CA980737BE9B1D650979E97B6C5B0D08251D0BDE4E699C98FB287994D1A7E9D666D455460EB8CBF9FA32CBB7F3E
Malicious:	false
Preview:	L..................F.... .....a..b..4t...b....0.^Y..8.s.......................:..DG..Yr?.D..U..k0.&...&......vk.v......az.b......b......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^)Ztm...........................%..A.p.p.D.a.t.a...B.V.1.....)Zwm..Roaming.@......CW.^)Zwm..........................F?..R.o.a.m.i.n.g.....l.1.....)Zwm..CHROME~1..T......)Zwm)Zwm...........................T..C.h.r.o.m.e.Q.u.i.c.k._.D.V.B.v.5.....h.2.8.s..Y.. .WEBCOP~1.EXE..L......)Zwm)Zwm....")........................W.e.b.C.o.p.i.e.r...e.x.e.......m...............-.......l............R......C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe..-.....\.....\.R.o.a.m.i.n.g.\.C.h.r.o.m.e.Q.u.i.c.k._.D.V.B.v.5.\.W.e.b.C.o.p.i.e.r...e.x.e.`.......X.......899552...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\wkvxqcae

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2505728
Entropy (8bit):	6.683714555081184
Encrypted:	false
SSDEEP:	49152:QW0DiTqAgRUKAMG3qA+W65WZTN4hS2EDUrkaV4RQGSKqBfV7m3Y2hIm9RGSQX100:JipWZ2qRcBT
MD5:	B596AF2DE1506E0C2BD760A8E3D60479
SHA1:	0F241562F68D07CCC6600844272096806AB35CEE
SHA-256:	B7177B171BD935890D0493CEC143EE900D4AF3B8C57EAC0AA1E99C82ABFD966B
SHA-512:	8ADCABD698F9A6D5C03C7DC2FBB7788391CCD63F3B4A4254ED3F9857499BC8E741B5FBEA77B53106B8EA69F2506FD9892721CB80442FFEFA5351A0C323C0494C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q.@Q.................. .. &..x..W..........@.............................00.......&...`... .............................................../......./.8....`%.lu............0..............................W%.(...................x./..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata..lu...`%..v...F%.............@..@.xdata..0W....%..X....%.............@..@.bss.....w...@&..........................idata......../.......&.............@....CRT....0...../.......&.............@....tls........../.......&.............@....rsrc...8...../.......&.............@..@.reloc........0...... &.............@..Bepj...... ....0......$&.............@...................................................................................................................................

C:\Users\user\AppData\Local\Temp\yirxmaoe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	2505728
Entropy (8bit):	6.683714555081184
Encrypted:	false
SSDEEP:	49152:QW0DiTqAgRUKAMG3qA+W65WZTN4hS2EDUrkaV4RQGSKqBfV7m3Y2hIm9RGSQX100:JipWZ2qRcBT
MD5:	B596AF2DE1506E0C2BD760A8E3D60479
SHA1:	0F241562F68D07CCC6600844272096806AB35CEE
SHA-256:	B7177B171BD935890D0493CEC143EE900D4AF3B8C57EAC0AA1E99C82ABFD966B
SHA-512:	8ADCABD698F9A6D5C03C7DC2FBB7788391CCD63F3B4A4254ED3F9857499BC8E741B5FBEA77B53106B8EA69F2506FD9892721CB80442FFEFA5351A0C323C0494C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q.@Q.................. .. &..x..W..........@.............................00.......&...`... .............................................../......./.8....`%.lu............0..............................W%.(...................x./..............................text..... ....... .................`..`.data......... ....... .............@....rdata........!.......!.............@..@.pdata..lu...`%..v...F%.............@..@.xdata..0W....%..X....%.............@..@.bss.....w...@&..........................idata......../.......&.............@....CRT....0...../.......&.............@....tls........../.......&.............@....rsrc...8...../.......&.............@..@.reloc........0...... &.............@..Bepj...... ....0......$&.............@...................................................................................................................................

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WCUtil.dll

Download File

Process:	C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.351681914669155
Encrypted:	false
SSDEEP:	3072:oO4+0LodFt+wsxMl1NqAc5iSttkClFelrl+AMVaKoXA1OaYe:oO4xMdFowsxizqyStZlFel5npA1OaF
MD5:	FA05AB4DD4914384F5FB35D33BC73A0F
SHA1:	0309F593ADCD0673919269D8DC40F95081D103D4
SHA-256:	3F8CE1047167F498734B88C959CF4FF89622C8229C89B6A3333D3BC3823F85B3
SHA-512:	CCCE1623AC2EA29E66778C2C1B76DB2320F488548F353B04F65E03BA5AEFC3BA150E61C729ED112747BA969BE6DDA601EA3292DDB43F378C7C708E3C45E0A5FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.R.-.R.-.R.-.).!.T.-..#.K.-.'..-.'.Y.-.0.>.W.-.R.,.:.-.&.q.-.).S.-.RichR.-.........................PE..L.....GL...........!................ZR...............................................................................P.......F..<....................................................................................................................text............................... ..`.rdata...S.......`..................@..@.data...\|J...p...0...p..............@....reloc...-.......0..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe

Download File

Process:	C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7579704
Entropy (8bit):	6.84709467393535
Encrypted:	false
SSDEEP:	196608:ykxa78pklLylqrJ6CkamuqW5A1eMoxFLOyomFHKnPH:+gW5oSF+
MD5:	E2A27870BA4DA90DF6276C4DA9E3CF82
SHA1:	CD0A17F6DDC7B4994D98F26848C3A2D7DAE74E68
SHA-256:	9F1BB79EF7D76E5DDDC628D0455C1F6A6AA068CC210F1D238A231F77AC9CBBA2
SHA-512:	66C4D8D1C6CB45A6C10CBB16D4388858980E7BC4F57FB88DC2A3B7B8FC6DA82DBA3E9B1BFD33EA4C25A7AFD5612C2823915E5F0759728CCCFE81BD4F99AFC235
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......D...............e.."...e........-.....e....e......e..&.....i........"...............................................t......t.Q.......9.....t......Rich....................PE..L...O..^..................8...;.......,.......8...@.......................... t.......t.....................................l#F.......G.(F,...........s.8.............?.T.....................?.......>.@.............8.X.....F.@....................text.....8.......8................. ..`.rdata..p.....8.......8.............@..@.data....@....F......bF.............@....rsrc...(F,...G..H,..BG.............@..@........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\cathedra.wmv

Download File

Process:	C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
File Type:	data
Category:	dropped
Size (bytes):	4469405
Entropy (8bit):	7.95660152908976
Encrypted:	false
SSDEEP:	98304:IVvV7XPZLI6LoL6XWx44ibjVD4CBDLAJ32NSCU3pjug7iw:IVQ6kL6G23VD4CBDw3LCUZjuIiw
MD5:	772D57BC0AB0B82F3C35990EA58AABC2
SHA1:	DDA21EA8FF8468122E09271FB915F0BAB9ACF544
SHA-256:	60E662EF1ED6AC0FC757D9402AB859A7ED45F91A7183355B4464A60759A440C1
SHA-512:	5A50D936CB2CF9809F0F88A3A166EBA6C645B54B0C2A28BB1B64B1EA058EC30FA55FA7EE9D41B3832B23994A35C3C9F60DAC669AF1E898219C53DDC4C47E72CD
Malicious:	false
Preview:	.pM.e........Hl.......ic`D....s.V..F..pG....vQ......j..[e...Pa...L...H..rXnP.....Sm...ndn....j..nWTvu.f..k.Q..Gt.OK..QT.tIV.JN...j..nZ.SBq.\L.a..C..l..r....W.D.MG.p..`mjrxsXxoT.Fq.g.xp...]..fj..F.K...^.MGj.prl..P....d...H..\YtJ.c.......c.li..e....k...EGw...N...Fu...at].p.....xj.R.K.ENc.q^._.HPQY[D.a..L..Rq.DaW.W.o..wW.YV..BO..PI.._..fv....rV.E.w.H.cWSN.SL.Wm..a.Gw.i.B.v..p_p.hK..BPR..ff.xOE..D_..l.m..Gd.J...V..X....v_.Sy.aj`DY..._....b\Ic.Zm.aalks..ILvZ]...._Y.x..Ttn.Pd..nYDW.jp...nH_\`.id.roy......d...PRN^re..._...gWFq_..P....LKe.]C.e..bGpk.u..wH...s.ed^..]._b.\._Y...bcZKZ.E....R..Ql.HryH.W..M.Qa....PWS..LQNFBX.m..U..x.Cb.w.V...Y.s.`.N..UE.GHnj._OSi.Q.r]ummdc.`.S.j^.w..jC..W.......Ncc..lHU.......F.oQI.E.....h...[.NuC[G....._.ZxZ..D...C..d.Ybh.l].JL...VK..E...vy.cXOl.c...Pk..d.[..Dq....bw..BSR_c.Xw.m.H._X^.Y.b...Ba..Q..chjwNR`a..\S.....bj[MX[.x.A.......C.`b^_..XIo.\..oDl....hp_tqqV..C....w.ee...^nD.].Fn.W.d..R...PMWQi.ci..p..b..g..P.Y.g..w_cYy.F.c....xy...w.l..j.XI]....X.W.k...[HcMw...

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\necropsy.eml

Download File

Process:	C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
File Type:	data
Category:	dropped
Size (bytes):	43077
Entropy (8bit):	4.745006147010959
Encrypted:	false
SSDEEP:	768:AjAlxcFjdt7p5LtbCiDFf9Am4ysG4z+w5KKMX9PLDjn:Pxg7fLtbh8IcE9PLDjn
MD5:	33D9C73A5F1B9C5B16E9FF892F24A05A
SHA1:	7DC1DF26FF605549E50F2DBD8BB69C179E7A6B3C
SHA-256:	030D40902ED53B64F03B4FD91D1ED4B931140F155DFF02E058D93F019F43D2DB
SHA-512:	19F857CBF4010172EC5E83F0B0AFE50798CE61663ABE0CE19C8098F6B9CA930026FB3BC8161A812265A64F38CC2BB144CAEFD154701FFFB8F808BB4649F2B0FA
Malicious:	false
Preview:	D...V^..j..a.E..QE...qAa.UTBT.Ef.e....\.q.SlK..rZ[ywW^...]AI.G.`.JRoZaKQ.....n..LT.SNugG...\.I.na.AGaY.d.E.H.l.y.....j`..o.VqtY......n..Y.eQT..vY......m.E.Ax.q.._v..UuT..yVT.K...rf.hlO...q...t..nH...b.lZv..Qm.Hyj...L...[.[a.a.j.s.J.q.xo...t.....O.dNN....S.j.lwE..A..n[....y..V...U.J.H.HfP..W_B.o..jUwB.d......C].OO....tZ...fSaQi...Ensbi..XW.......M...I..\q.Z.........FY...GE.J[._kXGb[..f...ID.Ha..qc.G...i...D..].PHbH..K.V.DboPR.ny_kF.R\R.gl`.f.k.Wr.WR.WP..U.N.p..Ss.]D..s.k....ZA......i.Y.NKQk.Kc..L..Y.P.ej......].......Ht..nC..U.XN.m.I.....C...F.ZXSQ..D.bGB_.w.o.\BaKD.j...Vwy....`...p...]OV.Yt..HX.D`.vA..NM..F.D.U...X.p..KYku.\.K.sGbK...i.s...a...Yl.......C[...H.cr.H.Ygc..Zl.t..d_.y......SrMvC..XtW.hJ..jD....f...T......xRsT......g.n...X..C..Q.m.oqe.a..kZ.qDBAD...i.`C.o[.C..^e.V.NM..N.nvc.yb....Gq..._Y....g.ZN...q..jvY.ysV....Cf_B.....e.H.L.n[A.L.`.Lr.WBgaAW.\\H.Khy.VE.Ku..[...dCU...Z....TD...o..c.E..`.b..L.B..Xp....s..Y.U..ZpO..Bm.sVk.Vt.g...oM.SkuL.rX.l.LU....\..d....xR.yw..N.....F.td...

C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

Download File

Process:	C:\Users\user\Desktop\VmjvNTbD5J.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	7814631
Entropy (8bit):	7.965065406976698
Encrypted:	false
SSDEEP:	196608:f/udXsI8lAWZkhDIIUctmEFpnr8Kxdw3+Q:fKX1+A2khsctmEFJrbjQ
MD5:	B153C388223577EA044ACA3908BE2935
SHA1:	B7DCD73611D5C85871E6191E32A90E465654D1A2
SHA-256:	12880838FDFB4C1AF193AC963CE4B6019051545B201F303884BF1711172E275B
SHA-512:	F53D25B761B7EB7B73B0F0E39F36FAA042DBFDEB0FAAA65E2E17C473B7B1B4E486619735E0193904A1255C4E7C7F5892BDC0D8D934F55D07B8E6A45BCFF8E253
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.>..eP..eP..eP.].S..eP.].U.eP.Y.T..eP.Y.S..eP.Y.U.;eP..U.BeP.].T..eP.].V..eP.].Q..eP..eQ.sdP...U..eP......eP..e...eP...R..eP.Rich.eP.........PE..d....p-d.........."....".............=.........@..........................................`.................................................P6..........(P......HE...........p......p...T.......................(...p...@...............(....0.. ....................text............................... ..`.rdata...b.......d..................@..@.data...."...`.......F..............@....pdata..HE.......F...R..............@..@.didat..............................@....wixburn0...........................@..@_RDATA..\...........................@..@.rsrc...(P.......R..................@..@.reloc.......p......................@..B........................................................................................................

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (578), with CRLF line terminators
Category:	dropped
Size (bytes):	2654
Entropy (8bit):	3.743876977740129
Encrypted:	false
SSDEEP:	48:y+03N6hOfgFLvkwcne1+ercuCuqatMJD0wfycJeGgDrG9i1yr9Xi1s5rIl:72wcn6+ercuLqka0wfyci29Wyr9XWs5C
MD5:	B0938047D6FB88200838F89D36146D54
SHA1:	2D0ADCAE671D73DC03E23683BA070E62C8093511
SHA-256:	DECFE73B2CB6176156EA0C67F39DE7919E68EFE9B8AF00E658F32CDBBC11BA57
SHA-512:	0CFAEE19111763764585EC82EAA4C5722730F56B231FDE0F3467BDA1288DE13B607A9715E1A6EA9B3833CABFFAC98794BB0EB6126A3F1E524802D45882829DBD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".A.c.u.p.r.e.s.s.u.r.e.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.8.2.E.A.A.5.A.E.-.9.3.D.4.-.4.0.C.8.-.9.E.8.5.-.B.6.3.9.0.9.B.1.3.F.1.2.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.A.1.0.4.0.0.3.A.-.1.4.2.B.-.4.D.0.9.-.8.5.8.E.-.F.3.4.2.F.2.0.5.8.3.A.2.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.R.o.l.l.b.a.c.k.B.o.u.n.d.a.r.y. .I.d.=.".W.i.x.D.e.f.a.u.l.t.B.o.u.n.d.a.r.y.". .V.i.t.a.l.=.".y.e.s.". .T.r.a.n.s.a.c.t.i.o.n.=.".n.o.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.k.a.g.e.=.".U.r.o.s.c.o.p.y.". .V.i.t.a.l.=.".y.e.s.". .D.i.s.p.l.a.y.N.a.

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\BundleExtensionData.xml

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.50802487441866
Encrypted:	false
SSDEEP:	6:QFulcLk0YR5Ie8GcUlLulFwENeWlYmH1fMWGVUlLulFwEnk:QF/LXYRWe8OLqF3Ye1kWGaLqFhk
MD5:	A35990570AFAA7D023FD2EBBE229AFB8
SHA1:	86688B13D3364ADB90BBA552F544D4D546AFD63D
SHA-256:	9B696AD0EC3B37BAC11DA76BCD51AD907D31EE9638DAD7BB8FDD5AEF919EF621
SHA-512:	1845B25697FED6D694428F53B2D1B2ABF1ACF8A09E8E49A536759822AD5B1A75D51BC7AE4D73E435B7BBC23AC34C9AED76F17414D218B54DA546C908F9A5182C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.w.i.x.t.o.o.l.s.e.t...o.r.g./.s.c.h.e.m.a.s./.v.4./.B.u.n.d.l.e.E.x.t.e.n.s.i.o.n.D.a.t.a.". ./.>.

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39048
Entropy (8bit):	6.308071188599813
Encrypted:	false
SSDEEP:	768:6FtuUXVquBaZxkBfy4jwG9DQ6xnXmzxaRAzGIILnv:6qMckBfld9LnIxXzaLv
MD5:	4C87D6BAF09AC581EA54394E3F38B9E8
SHA1:	A24503B11068369A83D0E90CAC02B67B5C99958C
SHA-256:	2F49C1D5A31D345760EF393D6A2E7AF8987ED31FECE4ABB72B16ED22F3DFDA7F
SHA-512:	26143AB73DB50755CF62E15D229E8F257ECF54B9A6BF1F89F516A5995961DAA46045ACECEC7D521593198A365F9E21E34E41403FACC43DE7E533BFEC0CEA43A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........JY..+7..+7..+7..L..+7..S...+7..S...+7..S...+7..+6.d+7..S...+7..Z..+7..S...+7..S...+7...I..+7..S...+7..S...+7.Rich.+7.................PE..d..../*P.........." .....h...........O.........p..........................................@..........................................w..i....n.......................\|..........j... ................................................................................text....g.......h.................. ..`.data...@............l..............@....pdata...............r..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.351681914669155
Encrypted:	false
SSDEEP:	3072:oO4+0LodFt+wsxMl1NqAc5iSttkClFelrl+AMVaKoXA1OaYe:oO4xMdFowsxizqyStZlFel5npA1OaF
MD5:	FA05AB4DD4914384F5FB35D33BC73A0F
SHA1:	0309F593ADCD0673919269D8DC40F95081D103D4
SHA-256:	3F8CE1047167F498734B88C959CF4FF89622C8229C89B6A3333D3BC3823F85B3
SHA-512:	CCCE1623AC2EA29E66778C2C1B76DB2320F488548F353B04F65E03BA5AEFC3BA150E61C729ED112747BA969BE6DDA601EA3292DDB43F378C7C708E3C45E0A5FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.R.-.R.-.R.-.).!.T.-..#.K.-.'..-.'.Y.-.0.>.W.-.R.,.:.-.&.q.-.).S.-.RichR.-.........................PE..L.....GL...........!................ZR...............................................................................P.......F..<....................................................................................................................text............................... ..`.rdata...S.......`..................@..@.data...\|J...p...0...p..............@....reloc...-.......0..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7579704
Entropy (8bit):	6.84709467393535
Encrypted:	false
SSDEEP:	196608:ykxa78pklLylqrJ6CkamuqW5A1eMoxFLOyomFHKnPH:+gW5oSF+
MD5:	E2A27870BA4DA90DF6276C4DA9E3CF82
SHA1:	CD0A17F6DDC7B4994D98F26848C3A2D7DAE74E68
SHA-256:	9F1BB79EF7D76E5DDDC628D0455C1F6A6AA068CC210F1D238A231F77AC9CBBA2
SHA-512:	66C4D8D1C6CB45A6C10CBB16D4388858980E7BC4F57FB88DC2A3B7B8FC6DA82DBA3E9B1BFD33EA4C25A7AFD5612C2823915E5F0759728CCCFE81BD4F99AFC235
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......D...............e.."...e........-.....e....e......e..&.....i........"...............................................t......t.Q.......9.....t......Rich....................PE..L...O..^..................8...;.......,.......8...@.......................... t.......t.....................................l#F.......G.(F,...........s.8.............?.T.....................?.......>.@.............8.X.....F.@....................text.....8.......8................. ..`.rdata..p.....8.......8.............@..@.data....@....F......bF.............@....rsrc...(F,...G..H,..BG.............@..@........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\cathedra.wmv

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	data
Category:	dropped
Size (bytes):	4469405
Entropy (8bit):	7.95660152908976
Encrypted:	false
SSDEEP:	98304:IVvV7XPZLI6LoL6XWx44ibjVD4CBDLAJ32NSCU3pjug7iw:IVQ6kL6G23VD4CBDw3LCUZjuIiw
MD5:	772D57BC0AB0B82F3C35990EA58AABC2
SHA1:	DDA21EA8FF8468122E09271FB915F0BAB9ACF544
SHA-256:	60E662EF1ED6AC0FC757D9402AB859A7ED45F91A7183355B4464A60759A440C1
SHA-512:	5A50D936CB2CF9809F0F88A3A166EBA6C645B54B0C2A28BB1B64B1EA058EC30FA55FA7EE9D41B3832B23994A35C3C9F60DAC669AF1E898219C53DDC4C47E72CD
Malicious:	false
Preview:	.pM.e........Hl.......ic`D....s.V..F..pG....vQ......j..[e...Pa...L...H..rXnP.....Sm...ndn....j..nWTvu.f..k.Q..Gt.OK..QT.tIV.JN...j..nZ.SBq.\L.a..C..l..r....W.D.MG.p..`mjrxsXxoT.Fq.g.xp...]..fj..F.K...^.MGj.prl..P....d...H..\YtJ.c.......c.li..e....k...EGw...N...Fu...at].p.....xj.R.K.ENc.q^._.HPQY[D.a..L..Rq.DaW.W.o..wW.YV..BO..PI.._..fv....rV.E.w.H.cWSN.SL.Wm..a.Gw.i.B.v..p_p.hK..BPR..ff.xOE..D_..l.m..Gd.J...V..X....v_.Sy.aj`DY..._....b\Ic.Zm.aalks..ILvZ]...._Y.x..Ttn.Pd..nYDW.jp...nH_\`.id.roy......d...PRN^re..._...gWFq_..P....LKe.]C.e..bGpk.u..wH...s.ed^..]._b.\._Y...bcZKZ.E....R..Ql.HryH.W..M.Qa....PWS..LQNFBX.m..U..x.Cb.w.V...Y.s.`.N..UE.GHnj._OSi.Q.r]ummdc.`.S.j^.w..jC..W.......Ncc..lHU.......F.oQI.E.....h...[.NuC[G....._.ZxZ..D...C..d.Ybh.l].JL...VK..E...vy.cXOl.c...Pk..d.[..Dq....bw..BSR_c.Xw.m.H._X^.Y.b...Ba..Q..chjwNR`a..\S.....bj[MX[.x.A.......C.`b^_..XIo.\..oDl....hp_tqqV..C....w.ee...^nD.].Fn.W.d..R...PMWQi.ci..p..b..g..P.Y.g..w_cYy.F.c....xy...w.l..j.XI]....X.W.k...[HcMw...

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\necropsy.eml

Download File

Process:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
File Type:	data
Category:	dropped
Size (bytes):	43077
Entropy (8bit):	4.745006147010959
Encrypted:	false
SSDEEP:	768:AjAlxcFjdt7p5LtbCiDFf9Am4ysG4z+w5KKMX9PLDjn:Pxg7fLtbh8IcE9PLDjn
MD5:	33D9C73A5F1B9C5B16E9FF892F24A05A
SHA1:	7DC1DF26FF605549E50F2DBD8BB69C179E7A6B3C
SHA-256:	030D40902ED53B64F03B4FD91D1ED4B931140F155DFF02E058D93F019F43D2DB
SHA-512:	19F857CBF4010172EC5E83F0B0AFE50798CE61663ABE0CE19C8098F6B9CA930026FB3BC8161A812265A64F38CC2BB144CAEFD154701FFFB8F808BB4649F2B0FA
Malicious:	false
Preview:	D...V^..j..a.E..QE...qAa.UTBT.Ef.e....\.q.SlK..rZ[ywW^...]AI.G.`.JRoZaKQ.....n..LT.SNugG...\.I.na.AGaY.d.E.H.l.y.....j`..o.VqtY......n..Y.eQT..vY......m.E.Ax.q.._v..UuT..yVT.K...rf.hlO...q...t..nH...b.lZv..Qm.Hyj...L...[.[a.a.j.s.J.q.xo...t.....O.dNN....S.j.lwE..A..n[....y..V...U.J.H.HfP..W_B.o..jUwB.d......C].OO....tZ...fSaQi...Ensbi..XW.......M...I..\q.Z.........FY...GE.J[._kXGb[..f...ID.Ha..qc.G...i...D..].PHbH..K.V.DboPR.ny_kF.R\R.gl`.f.k.Wr.WR.WP..U.N.p..Ss.]D..s.k....ZA......i.Y.NKQk.Kc..L..Y.P.ej......].......Ht..nC..U.XN.m.I.....C...F.ZXSQ..D.bGB_.w.o.\BaKD.j...Vwy....`...p...]OV.Yt..HX.D`.vA..NM..F.D.U...X.p..KYku.\.K.sGbK...i.s...a...Yl.......C[...H.cr.H.Ygc..Zl.t..d_.y......SrMvC..XtW.hJ..jD....f...T......xRsT......g.n...X..C..Q.m.oqe.a..kZ.qDBAD...i.`C.o[.C..^e.V.NM..N.nvc.yb....Gq..._Y....g.ZN...q..jvY.ysV....Cf_B.....e.H.L.n[A.L.`.Lr.WBgaAW.\\H.Khy.VE.Ku..[...dCU...Z....TD...o..c.E..`.b..L.B..Xp....s..Y.U..ZpO..Bm.sVk.Vt.g...oM.SkuL.rX.l.LU....\..d....xR.yw..N.....F.td...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows, InstallShield self-extracting archive
Entropy (8bit):	7.9655777882955725
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	VmjvNTbD5J.exe
File size:	7'884'295 bytes
MD5:	ab660c89d26121d4041874614646fd75
SHA1:	586cb1d772f7f559786f4f5b2420e5ba5806815b
SHA256:	8ed2ebe94abc2758e4db53c476f8b7a69b5436fe176cba112802990547c5bb24
SHA512:	bb5a761372d9a7301d8f37545e092d0ee8843472e77ec919adb9084ec2b1142e9faaa2dfa7f563ffa568df4b463dcc1c444f50b1b8413c40a3214474aeebd38b
SSDEEP:	196608:f/udXsI8lAWZkhDIIUctmEFpnr8Kxdw3+3:fKX1+A2khsctmEFJrbj3
TLSH:	5A8622763BF424FAC4BA4376C6808272FE75B14D3321647D8AA4962C1F7B96965BF300
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.>..eP..eP..eP.].S..eP.].U..eP.Y.T..eP.Y.S..eP.Y.U.;eP...U.BeP.].T..eP.].V..eP.].Q..eP..eQ.sdP...U..eP......eP..e...eP...R..eP

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x140053dd0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x642D70FD [Wed Apr 5 13:00:45 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	07c4dc6e132c507bcef10998173e3c81

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0C290A87C4h
dec eax
add esp, 28h
jmp 00007F0C290A825Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0002B4D3h]
dec eax
mov ecx, ebx
call dword ptr [0002B4C2h]
call dword ptr [0002B63Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0002B4B8h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [0002B4A4h]
test eax, eax
je 00007F0C290A83E9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00062E4Ah]
call 00007F0C290A848Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00062F31h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00062EC1h], eax
dec eax
mov eax, dword ptr [00062F1Ah]
dec eax
mov dword ptr [00062D8Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00062E8Fh], eax
mov dword ptr [00062D65h], C0000409h
mov dword ptr [00062D5Fh], 00000001h
mov dword ptr [00000069h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3650	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc1000	0x5028	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb9000	0x4548	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc7000	0x788	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaf270	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xaf300	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xaee70	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7f000	0x828	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb300c	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7dce0	0x7de00	c704ae162ee75093c868d807de4e6109	False	0.513908499875869	data	6.395321923761475	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7f000	0x36206	0x36400	fe6ad98a384b001707cdb378131283ec	False	0.28707337269585254	data	5.143926566262762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb6000	0x22d0	0xc00	ba85cbd0519f80f728e08c1ca076f497	False	0.16731770833333334	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, sparse, rows 0, columns 1074173776, imaginary	2.2806420603419033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xb9000	0x4548	0x4600	14f42c90baded23f8dc00df73002a78c	False	0.5132254464285714	data	5.796600156579775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0xbe000	0x198	0x200	9761ef77b7321d60f960bfa859df4c2d	False	0.294921875	data	2.6061387799503875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0xbf000	0x30	0x200	1a42e805dfc6a3511ca96d60ce037ed0	False	0.107421875	data	0.5813091016060967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xc0000	0x15c	0x200	558d283cbc1650a14570174bb1d3febb	False	0.3984375	data	3.2625786276652566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc1000	0x5028	0x5200	107ba3edad4d7cdfa9546aced0f1dce3	False	0.3156916920731707	data	5.461268105293538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc7000	0x788	0x800	3fa0b1735b1c909bebcb305a665399aa	False	0.54541015625	data	5.264719402838329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc11c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_RCDATA	0xc1a68	0x8	data	English	United States	1.75
RT_MESSAGETABLE	0xc1a70	0x3d74	data	English	United States	0.282418001525553
RT_GROUP_ICON	0xc57e4	0x14	data	English	United States	1.15
RT_VERSION	0xc57f8	0x2d0	data	English	United States	0.4736111111111111
RT_MANIFEST	0xc5ac8	0x560	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1373), with no line terminators	English	United States	0.4563953488372093

Imports

DLL	Import
KERNEL32.dll	GetUserDefaultUILanguage, GetUserDefaultLangID, GetSystemDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, CreateProcessW, DuplicateHandle, FreeLibrary, ProcessIdToSessionId, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, OpenProcess, GetProcessId, SetProcessShutdownParameters, LocalFileTimeToFileTime, SetEndOfFile, SetFileTime, GetExitCodeThread, DosDateTimeToFileTime, CompareStringA, SetThreadExecutionState, ReleaseSemaphore, CreateMutexW, GetExitCodeProcess, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetStdHandle, ExitProcess, VerifyVersionInfoW, GetFileType, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetFileSizeEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, WriteConsoleW, GetComputerNameW, GetSystemTime, VerSetConditionMask, CompareStringW, GetNativeSystemInfo, CreateThread, GetCurrentProcess, CreateSemaphoreW, CreateEventW, ReleaseMutex, ResetEvent, SetEvent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, MoveFileExW, SetFileAttributesW, RemoveDirectoryW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, GetCurrentDirectoryW, ExpandEnvironmentStringsW, GetProcessHeap, HeapSize, HeapFree, GetDateFormatW, HeapReAlloc, HeapAlloc, GetModuleFileNameW, GetSystemWow64DirectoryW, GetSystemDirectoryW, GetLocalTime, Sleep, SetLastError, GetTempPathW, GetVolumePathNameW, GetTempFileNameW, GetFullPathNameW, CreateDirectoryW, LCMapStringW, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, FormatMessageW, LocalFree, LoadLibraryExW, GetProcAddress, GetModuleHandleW, WaitForMultipleObjects, WaitForSingleObject, HeapSetInformation, GetLastError, lstrlenA, GetCurrentProcessId, GetModuleHandleA, MulDiv, CompareStringOrdinal, GetSystemWindowsDirectoryW, GlobalAlloc, GlobalFree, CopyFileW, LoadResource, LockResource, SizeofResource, FindResourceExA, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, GetTimeZoneInformation, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, WriteFile, SetFilePointer, CreateFileA, CloseHandle, GetModuleHandleExW, CreateFileW
USER32.dll	GetDC, ReleaseDC, MonitorFromPoint, ShowWindow, IsDialogMessageW, LoadBitmapW, SetWindowLongPtrW, GetWindowLongPtrW, GetCursorPos, MessageBoxW, SetWindowPos, CreateWindowExW, UnregisterClassW, RegisterClassW, PostQuitMessage, DefWindowProcW, DispatchMessageW, TranslateMessage, GetMessageW, WaitForInputIdle, IsWindow, PostMessageW, GetMonitorInfoW, LoadCursorW, MonitorFromWindow
GDI32.dll	DeleteObject, SelectObject, StretchBlt, GetObjectW, DeleteDC, CreateDCW, CreateCompatibleDC, GetDeviceCaps
ADVAPI32.dll	GetUserNameW, CryptAcquireContextW, QueryServiceConfigW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, OpenProcessToken, AllocateAndInitializeSid, CheckTokenMembership, GetTokenInformation, AdjustTokenPrivileges, IsWellKnownSid, LookupPrivilegeValueW, RegCreateKeyExW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, ControlService, CloseServiceHandle, ChangeServiceConfigW, SetEntriesInAclW, DecryptFileW, InitializeAcl, CreateWellKnownSid, ConvertStringSecurityDescriptorToSecurityDescriptorW, ReportEventW, OpenEventLogW, CloseEventLog, RegQueryInfoKeyW, RegDeleteValueW, RegQueryValueExW, InitiateSystemShutdownExW, RegOpenKeyExW, RegCloseKey, SetNamedSecurityInfoW, RegDeleteKeyW, RegEnumKeyExW, RegEnumValueW, RegSetValueExW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetEntriesInAclA
ole32.dll	CoInitializeEx, CoInitialize, CoInitializeSecurity, CoUninitialize, CLSIDFromProgID, CoTaskMemFree, StringFromGUID2, CoCreateInstance
OLEAUT32.dll	VariantClear, SysFreeString, VariantInit, SysAllocString
RPCRT4.dll	UuidCreate
SHELL32.dll	CommandLineToArgvW, ShellExecuteExW, SHGetFolderPathW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:44:28.369261980 CET	61227	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:44:28.374119043 CET	53	61227	162.159.36.2	192.168.2.4
Jan 9, 2025 14:44:28.374494076 CET	61227	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:44:28.379437923 CET	53	61227	162.159.36.2	192.168.2.4
Jan 9, 2025 14:44:28.861244917 CET	61227	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:44:28.879043102 CET	61227	53	192.168.2.4	162.159.36.2
Jan 9, 2025 14:44:28.884449959 CET	53	61227	162.159.36.2	192.168.2.4
Jan 9, 2025 14:44:28.884510040 CET	61227	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 14:44:28.368328094 CET	53	53555	162.159.36.2	192.168.2.4
Jan 9, 2025 14:44:28.950462103 CET	53	63153	1.1.1.1	192.168.2.4
Jan 9, 2025 14:44:29.189342976 CET	64392	53	192.168.2.4	1.1.1.1
Jan 9, 2025 14:44:29.199044943 CET	53	64392	1.1.1.1	192.168.2.4
Jan 9, 2025 14:44:57.049109936 CET	52506	53	192.168.2.4	1.1.1.1
Jan 9, 2025 14:44:57.058150053 CET	53	52506	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 14:44:29.189342976 CET	192.168.2.4	1.1.1.1	0x517	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:44:57.049109936 CET	192.168.2.4	1.1.1.1	0xdc88	Standard query (0)	plerukilo0.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 14:44:29.199044943 CET	1.1.1.1	192.168.2.4	0x517	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false
Jan 9, 2025 14:44:57.058150053 CET	1.1.1.1	192.168.2.4	0xdc88	Name error (3)	plerukilo0.site	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:43:41
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\VmjvNTbD5J.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VmjvNTbD5J.exe"
Imagebase:	0x7ff657080000
File size:	7'884'295 bytes
MD5 hash:	AB660C89D26121D4041874614646FD75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:43:42
Start date:	09/01/2025
Path:	C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\TEMP\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe" -burn.clean.room="C:\Users\user\Desktop\VmjvNTbD5J.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572
Imagebase:	0x7ff743d30000
File size:	7'814'631 bytes
MD5 hash:	B153C388223577EA044ACA3908BE2935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:43:43
Start date:	09/01/2025
Path:	C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\TEMP\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe
Imagebase:	0x400000
File size:	7'579'704 bytes
MD5 hash:	E2A27870BA4DA90DF6276C4DA9E3CF82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:43:44
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
Imagebase:	0x400000
File size:	7'579'704 bytes
MD5 hash:	E2A27870BA4DA90DF6276C4DA9E3CF82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:43:45
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:43:45
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:44:09
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:44:23
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe"
Imagebase:	0x400000
File size:	7'579'704 bytes
MD5 hash:	E2A27870BA4DA90DF6276C4DA9E3CF82
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:44:23
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:44:23
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:44:39
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe
Imagebase:	0x140000000
File size:	2'364'728 bytes
MD5 hash:	967F4470627F823F4D7981E511C9824F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.9%
Total number of Nodes:	1450
Total number of Limit Nodes:	44

Executed Functions

Function 00007FF657090238 Relevance: 88.1, APIs: 24, Strings: 26, Instructions: 582
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6570902CA
SetFilePointerEx.KERNELBASE ref: 00007FF65709032A
GetLastError.KERNEL32 ref: 00007FF657090334
ReadFile.KERNELBASE ref: 00007FF657090385
GetLastError.KERNEL32 ref: 00007FF65709038F
SetFilePointerEx.KERNELBASE ref: 00007FF6570903F6
GetLastError.KERNEL32 ref: 00007FF657090400
ReadFile.KERNELBASE ref: 00007FF657090457
GetLastError.KERNEL32 ref: 00007FF657090461
SetFilePointerEx.KERNELBASE ref: 00007FF6570904D3
GetLastError.KERNEL32 ref: 00007FF6570904DD

Strings

Failed to read complete image section header, index: %u, xrefs: 00007FF657090ACD
Failed to read section info, data too short: %u, xrefs: 00007FF657090773
Failed to read signature size., xrefs: 00007FF6570905D4
Failed to read image section header, index: %u, xrefs: 00007FF6570906F0
Failed to seek past optional headers., xrefs: 00007FF657090636
Failed to read DOS header., xrefs: 00007FF6570903C3
Failed to read NT header., xrefs: 00007FF657090495
Failed to read section info., xrefs: 00007FF657090871
Failed to allocate buffer for section info., xrefs: 00007FF6570907B2
d:\a\wix4\wix4\src\burn\engine\section.cpp, xrefs: 00007FF6570902DD, 00007FF657090348, 00007FF6570903A3, 00007FF657090414, 00007FF657090475, 00007FF6570904F1, 00007FF657090555, 00007FF6570905B4, 00007FF657090616, 00007FF6570906D0, 00007FF657090711, 00007FF657090727, 00007FF657090755, 00007FF65709079A, 00007FF6570907E9, 00007FF657090851, 00007FF65709088C, 00007FF6570908AE, 00007FF6570908DF, 00007FF657090909, 00007FF65709093C, 00007FF657090A0A, 00007FF657090A61, 00007FF657090A8A, 00007FF657090AB7, 00007FF657090ADE, 00007FF657090B05, 00007FF657090B2B, 00007FF657090B59
Failed to find valid DOS image header in buffer., xrefs: 00007FF657090B43
Failed to open handle to engine process path., xrefs: 00007FF6570902FD
Invalid section info, cContainers too large: %u, xrefs: 00007FF65709095A
Failed to allocate memory for container sizes., xrefs: 00007FF657090A24
Failed to find valid NT image header in buffer., xrefs: 00007FF657090B1D
4, xrefs: 00007FF657090749
Failed to get total size of bundle., xrefs: 00007FF657090977
PE Header from file didn't match PE Header in memory., xrefs: 00007FF657090A72
Failed to read section info, unsupported version: %08x, xrefs: 00007FF6570908FD
Failed to read signature offset., xrefs: 00007FF657090575
Failed to find Burn section., xrefs: 00007FF65709073D
Failed to read complete section info., xrefs: 00007FF6570908A2
Failed to seek to NT header., xrefs: 00007FF657090434
(, xrefs: 00007FF65709066C
Failed to seek to section info., xrefs: 00007FF657090511, 00007FF657090809
Failed to seek to start of file., xrefs: 00007FF657090368

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$File$Pointer$Read
String ID: ($4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data too short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$Invalid section info, cContainers too large: %u$PE Header from file didn't match PE Header in memory.$d:\a\wix4\wix4\src\burn\engine\section.cpp
API String ID: 2600052162-807141041
Opcode ID: d88e13f582e143ad85da803e65f928623628dee30627a78611f5db80cc6f2063
Instruction ID: fd888f3ea58681d9ebe90e6b2a6a3c3972fb08e221cccd77cf5ccad6c474011d
Opcode Fuzzy Hash: d88e13f582e143ad85da803e65f928623628dee30627a78611f5db80cc6f2063
Instruction Fuzzy Hash: B442AFB2B18606CBEB20CB19E48077A23E5BB89790F59413ADA4DE3794DF3DE509C744

Function 00007FF6570872AC Relevance: 65.2, APIs: 19, Strings: 18, Instructions: 454
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00007FF65708732C
GetLastError.KERNEL32 ref: 00007FF65708733B
SetFileAttributesW.KERNEL32 ref: 00007FF6570873D2
GetLastError.KERNEL32 ref: 00007FF6570873DC
FindFirstFileW.KERNELBASE ref: 00007FF6570874DE
GetLastError.KERNEL32 ref: 00007FF6570874EF

Strings

Failed to get attributes for path: %ls, xrefs: 00007FF657087385
Failed to get temp directory., xrefs: 00007FF657087470
Failed to get temp file to move to., xrefs: 00007FF65708784F
Failed to remove directory: %ls, xrefs: 00007FF6570877E4
Failed to remove read-only attribute from path: %ls, xrefs: 00007FF657087426
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp, xrefs: 00007FF657087370, 00007FF657087411, 00007FF657087437, 00007FF657087481, 00007FF6570874C5, 00007FF657087500, 00007FF657087933
Failed to concat wild cards to string: %ls, xrefs: 00007FF6570874B6
Failed to ensure path is backslash terminated: %ls, xrefs: 00007FF657087806
Failed to delete subdirectory; continuing: %ls, xrefs: 00007FF65708760F
Directory delete cannot delete file: %ls, xrefs: 00007FF657087954
Failed while looping through files in directory: %ls, xrefs: 00007FF6570878C7
Failed to remove attributes from file: %ls, xrefs: 00007FF65708783A
Failed to delete file: %ls, xrefs: 00007FF657087883
Failed to concat filename '%ls' to directory: %ls, xrefs: 00007FF6570878E7
*.*, xrefs: 00007FF6570874A4
DEL, xrefs: 00007FF6570876B2
failed to get first file in directory: %ls, xrefs: 00007FF657087527
Failed to ensure file name was null terminated., xrefs: 00007FF657087909

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLast$Attributes$FindFirst
String ID: *.*$DEL$Directory delete cannot delete file: %ls$Failed to concat filename '%ls' to directory: %ls$Failed to concat wild cards to string: %ls$Failed to delete file: %ls$Failed to delete subdirectory; continuing: %ls$Failed to ensure file name was null terminated.$Failed to ensure path is backslash terminated: %ls$Failed to get attributes for path: %ls$Failed to get temp directory.$Failed to get temp file to move to.$Failed to remove attributes from file: %ls$Failed to remove directory: %ls$Failed to remove read-only attribute from path: %ls$Failed while looping through files in directory: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to get first file in directory: %ls
API String ID: 3680393312-305978383
Opcode ID: 60e1ccfe82e415a2a7bb83c5e28c6d2ff0e706d8bfe369be2fbd74d2c94484a1
Instruction ID: ad3a4bac30dbffb688d787f44beceac030a5345c096796945681f39e12a8f2eb
Opcode Fuzzy Hash: 60e1ccfe82e415a2a7bb83c5e28c6d2ff0e706d8bfe369be2fbd74d2c94484a1
Instruction Fuzzy Hash: D112D5A1B1C74B86EB209BA5E48067A62E0BF84B94F481135DE4EF7798DF7DE508C704

Function 00007FF657089464 Relevance: 49.4, APIs: 4, Strings: 24, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF65708950B

Part of subcall function 00007FF6570E847C: InitializeCriticalSection.KERNEL32(?,?,?,?,00007FF657089519), ref: 00007FF6570E8495

Part of subcall function 00007FF6570E87D0: _cwprintf_s_l.LIBCMT ref: 00007FF6570E8840

CoInitializeEx.COMBASE ref: 00007FF6570895C7

Part of subcall function 00007FF6570E8C84: FreeLibrary.KERNEL32(?,?,?,?,?,00007FF65708967A), ref: 00007FF6570E8E00

GetNativeSystemInfo.KERNELBASE ref: 00007FF65708969D
CoUninitialize.COMBASE ref: 00007FF657089B01

Strings

Failed to initialize Regutil., xrefs: 00007FF657089619
x64, xrefs: 00007FF6570896A8, 00007FF6570896F7
Invalid run mode., xrefs: 00007FF6570897AA
x86, xrefs: 00007FF6570896DD
4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4, xrefs: 00007FF657089705
ARM64, xrefs: 00007FF6570896C6
Failed to initialize core., xrefs: 00007FF65708976B
Failed to run embedded mode., xrefs: 00007FF657089868
unknown architecture, xrefs: 00007FF657089696
Failed to run RunOnce mode., xrefs: 00007FF6570897D8
Failed to initialize XML util., xrefs: 00007FF657089659
Failed to run untrusted mode., xrefs: 00007FF6570898E6
Failed to connect to parent of embedded process., xrefs: 00007FF657089804
Failed to initialize COM., xrefs: 00007FF6570895D3
Failed to get OS info., xrefs: 00007FF657089680
Failed to run per-machine mode., xrefs: 00007FF657089895
Failed to initialize Cryputil., xrefs: 00007FF6570895F4
Failed to run per-user mode., xrefs: 00007FF6570898BF
Failed to parse command line., xrefs: 00007FF65708954B
Failed to initialize Wiutil., xrefs: 00007FF657089639
ARM, xrefs: 00007FF6570896D4
Failed to initialize engine state., xrefs: 00007FF65708958F
d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF657089562, 00007FF657089847
Failed to run bootstrapper application embedded., xrefs: 00007FF657089836

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Initialize$CriticalFreeHandleInfoLibraryModuleNativeSectionSystemUninitialize_cwprintf_s_l
String ID: 4.0.0+8c757c0f67f26f21c6bcbbfb81b7ea8b91c35fe4$ARM$ARM64$Failed to connect to parent of embedded process.$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run bootstrapper application embedded.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$d:\a\wix4\wix4\src\burn\engine\engine.cpp$unknown architecture$x64$x86
API String ID: 2158560762-3243415026
Opcode ID: e36adcbc4c369f94fbaff1b94ace581215e5879ba3a01d0b6526716f1c2ffd86
Instruction ID: 6432d5865c9794a534a21d80176f774dbffa755498607db832d35799b3227ffb
Opcode Fuzzy Hash: e36adcbc4c369f94fbaff1b94ace581215e5879ba3a01d0b6526716f1c2ffd86
Instruction Fuzzy Hash: AC128FA1B2864B8AFF20EF65D8442BD62E5AF84744F5C0136DA4DE6A99DF3CE50DC700

Function 00007FF65709EB98 Relevance: 35.4, APIs: 2, Strings: 18, Instructions: 360
sleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF65709EC98
Sleep.KERNEL32(?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF65709EE01

Part of subcall function 00007FF6570E7F04: EnterCriticalSection.KERNEL32(?,?,?,?,00007FF65709F01C,?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF6570E7F0F
Part of subcall function 00007FF6570E7F04: CloseHandle.KERNEL32(?,?,?,?,00007FF65709F01C,?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF6570E7F2C

Strings

Failed to copy log path to prefix., xrefs: 00007FF65709EEA8
Failed to copy log file path from command line., xrefs: 00007FF65709ECCC
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00007FF65709EC0C
Failed to initialize logging., xrefs: 00007FF65709ECFD
Failed to open log: %ls, xrefs: 00007FF65709EEE1
.elevated, xrefs: 00007FF65709EBEA
d:\a\wix4\wix4\src\burn\engine\logging.cpp, xrefs: 00007FF65709ECDD, 00007FF65709ED0E, 00007FF65709EEF7
Failed to get non-session specific TEMP folder., xrefs: 00007FF65709EFF8
Logging, xrefs: 00007FF65709EC2E
.runonce, xrefs: 00007FF65709EBE1
Failed to copy log extension to extension., xrefs: 00007FF65709F03D
Failed to get parent directory from '%ls'., xrefs: 00007FF65709EF91
Failed to copy default log prefix., xrefs: 00007FF65709ED8E
.cleanroom, xrefs: 00007FF65709EBF3
Setup, xrefs: 00007FF65709ED7C
Failed to copy default log extension., xrefs: 00007FF65709EDC6
log, xrefs: 00007FF65709EDB4
Failed to copy full log path to prefix., xrefs: 00007FF65709F063

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$CriticalEnterHandleSectionSleep
String ID: .cleanroom$.elevated$.runonce$Failed to copy default log extension.$Failed to copy default log prefix.$Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log file path from command line.$Failed to copy log path to prefix.$Failed to get non-session specific TEMP folder.$Failed to get parent directory from '%ls'.$Failed to initialize logging.$Failed to open log: %ls$Logging$SOFTWARE\Policies\Microsoft\Windows\Installer$Setup$d:\a\wix4\wix4\src\burn\engine\logging.cpp$log
API String ID: 443246293-1383633517
Opcode ID: 21f2da48729c3b114a5a2884a93ce354bf2ccf7fbf0d73ec89bf734ed05ce1e0
Instruction ID: 23b240803d202814c5389b846f9bf2eec9be807ffb5205194b670eea1e646d2f
Opcode Fuzzy Hash: 21f2da48729c3b114a5a2884a93ce354bf2ccf7fbf0d73ec89bf734ed05ce1e0
Instruction Fuzzy Hash: 8AE1CDA2B0975A86FB649B21D4902B922E4FF64784F4C4036DE4DE7B95EF3DE958C300

Function 00007FF657089C84 Relevance: 35.1, APIs: 2, Strings: 21, Instructions: 572COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF657089CCD
LeaveCriticalSection.KERNEL32 ref: 00007FF65708A441

Part of subcall function 00007FF65708A4E0: EnterCriticalSection.KERNEL32 ref: 00007FF65708A50D
Part of subcall function 00007FF65708A4E0: LeaveCriticalSection.KERNEL32 ref: 00007FF65708A673

Strings

Failed to reallocate variable array., xrefs: 00007FF65708A03A
Failed to format record., xrefs: 00007FF65708A3E4
d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF657089D33, 00007FF657089E05, 00007FF657089FF9, 00007FF65708A022, 00007FF65708A052, 00007FF65708A08C, 00007FF65708A0BE, 00007FF65708A0E7, 00007FF65708A123, 00007FF65708A1EF, 00007FF65708A21F, 00007FF65708A24B, 00007FF65708A2E3, 00007FF65708A31D, 00007FF65708A3B9
Failed to append string., xrefs: 00007FF657089DF4, 00007FF657089FE8, 00007FF65708A184, 00007FF65708A1BF
Failed to allocate buffer for format string., xrefs: 00007FF657089D6D
Failed to determine variable visibility: '%ls'., xrefs: 00007FF65708A0F8
Failed to set record format string., xrefs: 00007FF65708A276
Failed to get variable name., xrefs: 00007FF65708A147
Failed to length of format string., xrefs: 00007FF657089D22
Failed to set variable value., xrefs: 00007FF65708A0AD
Failed to allocate record., xrefs: 00007FF65708A207
Failed to copy string., xrefs: 00007FF65708A411
[%d], xrefs: 00007FF657089F95
Failed to set record string., xrefs: 00007FF65708A348
Failed to allocate string., xrefs: 00007FF65708A386
.cleanroom, xrefs: 00007FF657089C97
*****, xrefs: 00007FF657089F35
Failed to allocate variable array., xrefs: 00007FF65708A13B
Failed to format placeholder string., xrefs: 00007FF65708A07B
Failed to get formatted length., xrefs: 00007FF65708A30E
Failed to append placeholder., xrefs: 00007FF65708A06D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$.cleanroom$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to length of format string.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-2640746530
Opcode ID: 0e8b062e9232d20b26b77f35d1d9708b7e9e7c89f1d33bfce972226b9cf0c200
Instruction ID: b484e6bb3e36abe32ce73ba7f200d9ca2055d8c533319606bd5a1ad9454aedc4
Opcode Fuzzy Hash: 0e8b062e9232d20b26b77f35d1d9708b7e9e7c89f1d33bfce972226b9cf0c200
Instruction Fuzzy Hash: 6C32AFE2F1866A86FB20DB6194902BA26D1AF84794F5C0139DE0EF7B95DF3CE5098704

Function 00007FF6570A1BE0 Relevance: 33.5, APIs: 9, Strings: 10, Instructions: 221
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6570A1C3C
GetLastError.KERNEL32 ref: 00007FF6570A1C4B
CloseHandle.KERNELBASE ref: 00007FF6570A1F15

Strings

Failed to seek to checksum in exe header., xrefs: 00007FF6570A1D9F
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A1C5F, 00007FF6570A1C90, 00007FF6570A1CD7, 00007FF6570A1D23, 00007FF6570A1D7F, 00007FF6570A1E03, 00007FF6570A1EA3, 00007FF6570A1EF9
Failed to zero out original data offset., xrefs: 00007FF6570A1EE8
Failed to seek to beginning of engine file: %ls, xrefs: 00007FF6570A1CC6
Failed to update signature offset., xrefs: 00007FF6570A1DC8, 00007FF6570A1E44, 00007FF6570A1E6A
.cr, xrefs: 00007FF6570A1BE3
Failed to seek to signature table in exe header., xrefs: 00007FF6570A1E23
Failed to seek to original data in exe burn section header., xrefs: 00007FF6570A1EC3
Failed to copy engine from: %ls to: %ls, xrefs: 00007FF6570A1D17
Failed to create engine file at path: %ls, xrefs: 00007FF6570A1C7F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: .cr$Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2528220319-4111140883
Opcode ID: 63027c80af3d4ebf1d36603d37c782b36fa3121484d4d79a259a6ad377d275da
Instruction ID: 42994ae20cf6c633fc5cadcaf55ceb1f3c54f06354fd1af6c56fb61a10426883
Opcode Fuzzy Hash: 63027c80af3d4ebf1d36603d37c782b36fa3121484d4d79a259a6ad377d275da
Instruction Fuzzy Hash: D791C361B2875686F720DB25E48077622E4BF58B90F884135DD8DE7B94DF3CE5098744

Function 00007FF6570EE4B8 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 171
libraryloadercomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE4F7
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE509
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE5B9
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE5CE
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE5E1
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE5F4
CoCreateInstance.COMBASE(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE648
ExitProcess.KERNEL32 ref: 00007FF6570EE75C

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EE51D, 00007FF6570EE557, 00007FF6570EE66B
failed to create XML DOM Document, xrefs: 00007FF6570EE654
Wow64DisableWow64FsRedirection, xrefs: 00007FF6570EE5C4
failed XmlCreateElement, xrefs: 00007FF6570EE6DB
kernel32.dll, xrefs: 00007FF6570EE4E0
failed to get handle to kernel32.dll, xrefs: 00007FF6570EE53D
Wow64RevertWow64FsRedirection, xrefs: 00007FF6570EE5E7
IsWow64Process, xrefs: 00007FF6570EE5AF
Wow64EnableWow64FsRedirection, xrefs: 00007FF6570EE5D4
failed appendChild, xrefs: 00007FF6570EE70D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateElement$failed appendChild$failed to create XML DOM Document$failed to get handle to kernel32.dll$kernel32.dll
API String ID: 2124981135-1573969316
Opcode ID: 3a3a0705cff9729a3415d1fbb6121d6721b2fbf31080613fedebf341df0e5cb3
Instruction ID: 937ff8f5c232d7983c7fd7dc7305b7134ed491486bd81e7b1fef761db4575cd1
Opcode Fuzzy Hash: 3a3a0705cff9729a3415d1fbb6121d6721b2fbf31080613fedebf341df0e5cb3
Instruction Fuzzy Hash: 437115A2A18B4F85FB518F16E8402B923A4BF84B84F484536DE0DE3764EF3DE54AC344

Function 00007FF657084D48 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 232sleepfiletimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,.cleanroom,?), ref: 00007FF657084EC7
CreateFileW.KERNELBASE ref: 00007FF657084F66
GetLastError.KERNEL32 ref: 00007FF657084F75
Sleep.KERNEL32 ref: 00007FF657084F8C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,.cleanroom,?), ref: 00007FF657085053

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF657084DE4, 00007FF657084E8C, 00007FF657085036
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00007FF657084F1D
Failed to concatenate the temp folder and log prefix., xrefs: 00007FF657084E3C
failed to allocate memory for the temp path, xrefs: 00007FF65708501F
Failed to create temp file: %ls, xrefs: 00007FF657084FDC
Failed to get temp folder., xrefs: 00007FF657084E0E
Failed to combine directory and log prefix., xrefs: 00007FF657084DCD
Failed to ensure temp file path exists: %ls, xrefs: 00007FF657084E80
.cleanroom, xrefs: 00007FF657084D4D, 00007FF657084D51
Failed to copy temp path to return., xrefs: 00007FF657085002

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastLocalSleepTime
String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$.cleanroom$Failed to combine directory and log prefix.$Failed to concatenate the temp folder and log prefix.$Failed to copy temp path to return.$Failed to create temp file: %ls$Failed to ensure temp file path exists: %ls$Failed to get temp folder.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$failed to allocate memory for the temp path
API String ID: 1968021109-1311207464
Opcode ID: a9a25b6a6b9427bdf062adbb32dc01eb6a8c5cc95c4f4c1224b79382711ae4cf
Instruction ID: 5d75343e125da8da4b173905ad9afd0c83f1ab181003a7e6ed22baa6e55f50a1
Opcode Fuzzy Hash: a9a25b6a6b9427bdf062adbb32dc01eb6a8c5cc95c4f4c1224b79382711ae4cf
Instruction Fuzzy Hash: CBA18162B08A168AF760CFA1E4502BD33E5AB44758F480235EE5DE3BD9EF3CD51A8744

Function 00007FF6570E7A38 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 161threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570E7A89
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570E7A98
GetCurrentThreadId.KERNEL32 ref: 00007FF6570E7AA1
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570E7AB8
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570E7C82

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00007FF6570E7B7F
Failed to format line prefix., xrefs: 00007FF6570E7BAB
Failed to write string to log using redirected function: %ls, xrefs: 00007FF6570E7C32
Failed to convert log string to UTF-8, xrefs: 00007FF6570E7C01
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E7BC2, 00007FF6570E7C67
Failed to write string to log using default function: %ls, xrefs: 00007FF6570E7C4B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls$Failed to convert log string to UTF-8$Failed to format line prefix.$Failed to write string to log using default function: %ls$Failed to write string to log using redirected function: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
API String ID: 296830338-1339504754
Opcode ID: da0a7884cb04d5e9f83e9fcd3f03ee76a610eedc8125c07f4e25616af8c08537
Instruction ID: a2fb5900e546ac8790e044af94c7f9f7989af8dbfed7638514f77f8fd292ac91
Opcode Fuzzy Hash: da0a7884cb04d5e9f83e9fcd3f03ee76a610eedc8125c07f4e25616af8c08537
Instruction Fuzzy Hash: 4B715072B0864A9AEB219F25E8802BA73E4FB44754F480136DE4DE7BA4DF3CE559C704

Function 00007FF6570E7928 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6570E8476), ref: 00007FF6570E7969
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6570E8476), ref: 00007FF6570E7975
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6570E8476), ref: 00007FF6570E7A1B

Strings

failed to log id: %d, xrefs: 00007FF6570E79A3
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E7992, 00007FF6570E79C1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to log id: %d
API String ID: 1365068426-1219654922
Opcode ID: 48a896860358c0d6d62c56415fe43e041647789efc5f0c3f15441eab9cd75975
Instruction ID: 70d859d713223da7d82361523463729049077a3b663eb7078958b33a03b5311d
Opcode Fuzzy Hash: 48a896860358c0d6d62c56415fe43e041647789efc5f0c3f15441eab9cd75975
Instruction Fuzzy Hash: 3031BE72B18B8A8AE7208F15E4441AD73A5FB88B50F98013ADB8DD3754DF38E949C744

Function 00007FF6570A44CC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 87fileCOMMON

Download Yara Rule

APIs

DecryptFileW.ADVAPI32 ref: 00007FF6570A45B3

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A457F, 00007FF6570A45E7
No usable base working folder found., xrefs: 00007FF6570A4595
Failed to copy working folder., xrefs: 00007FF6570A45D6

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DecryptFile
String ID: Failed to copy working folder.$No usable base working folder found.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 3257575229-4136860833
Opcode ID: 33d9c878091376511f0b0b0cd26a57e041e4adcd3ab18688e2ccae335cfbaa40
Instruction ID: bde620f7c6fc9ed87cf910e1722d76431b1f30d9d1327438761a8e48f8dc5091
Opcode Fuzzy Hash: 33d9c878091376511f0b0b0cd26a57e041e4adcd3ab18688e2ccae335cfbaa40
Instruction Fuzzy Hash: 3631C476A18A8A87EB509F25E0403BAA3D1FBC4B98F5C4135EE4CDB659DF7CD0498700

Function 00007FF657086A48 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A51
RtlFreeHeap.NTDLL(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A5F
GetLastError.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A6B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: 030a6326adff4fd54b1e732239a6ba3d14283f1bf84e7b59afac754cae3bccc9
Instruction ID: bc32e3c0819de2b2cf55e7e0ad6a88c9aca911c37dbc90b98f7492fd3e620914
Opcode Fuzzy Hash: 030a6326adff4fd54b1e732239a6ba3d14283f1bf84e7b59afac754cae3bccc9
Instruction Fuzzy Hash: 71E0C2D0F0478B82F7106BFB288817111D06F4CB91F484034CE49DA350ED1CF88D4224

Function 00007FF65708C924 Relevance: 128.2, APIs: 1, Strings: 84, Instructions: 665
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF65708C95E

Part of subcall function 00007FF657089B6C: CompareStringW.KERNEL32 ref: 00007FF657089BCE
Part of subcall function 00007FF657089B6C: GetLastError.KERNEL32 ref: 00007FF657089BF3

Strings

VersionNT64, xrefs: 00007FF65708D121
NTSuiteEnterprise, xrefs: 00007FF65708CC8B
WixBundleTag, xrefs: 00007FF65708D385
WixCanRestart, xrefs: 00007FF65708D1A7
WixBundleSourceProcessFolder, xrefs: 00007FF65708D369
WixBundleLastUsedSource, xrefs: 00007FF65708D407
AdminToolsFolder, xrefs: 00007FF65708C973
WixBundleInstalled, xrefs: 00007FF65708D212
VersionMsi, xrefs: 00007FF65708D086
WixBundleInProgressName, xrefs: 00007FF65708D3FB
WixBundleOriginalSourceFolder, xrefs: 00007FF65708D428
LogonUser, xrefs: 00007FF65708CBD7
ProgramFiles6432Folder, xrefs: 00007FF65708CE3D
Attempted to add built-in variable as a well-known variable: %ls, xrefs: 00007FF65708D6F4
InstallerName, xrefs: 00007FF65708CB1D
UserLanguageID, xrefs: 00007FF65708D05A
InstallerVersion, xrefs: 00007FF65708CB68
WindowsBuildNumber, xrefs: 00007FF65708D13F
SeShutdownPrivilege, xrefs: 00007FF65708D1C3
TempFolder, xrefs: 00007FF65708CFD4
ProgramFiles64Folder, xrefs: 00007FF65708CE0F
WixBundleElevated, xrefs: 00007FF65708D230
SendToFolder, xrefs: 00007FF65708CE89
NTSuiteBackOffice, xrefs: 00007FF65708CC5D
WixBundleSourceProcessPath, xrefs: 00007FF65708D350
UserUILanguageID, xrefs: 00007FF65708D02E
StartupFolder, xrefs: 00007FF65708CF5C
WixBundleAction, xrefs: 00007FF65708D199
LocalAppDataFolder, xrefs: 00007FF65708CBC0
ServicePackLevel, xrefs: 00007FF65708CEA0
ProgramMenuFolder, xrefs: 00007FF65708CE54
DesktopFolder, xrefs: 00007FF65708CA6F
VersionNT, xrefs: 00007FF65708D0B2
Attempted to add built-in variable again: %ls, xrefs: 00007FF65708D594
ProgramFilesFolder, xrefs: 00007FF65708CE26
WixBundleActiveParent, xrefs: 00007FF65708D23E
WindowsVolume, xrefs: 00007FF65708D16D
WixBundleOriginalSource, xrefs: 00007FF65708D41D
NTSuiteDataCenter, xrefs: 00007FF65708CC74
System64Folder, xrefs: 00007FF65708CF91
CommonFiles6432Folder, xrefs: 00007FF65708C9EF
CommonAppDataFolder, xrefs: 00007FF65708C9BC
CommonFilesFolder, xrefs: 00007FF65708C9DE
NTProductType, xrefs: 00007FF65708CC46
d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708D37E
CompatibilityMode, xrefs: 00007FF65708CA00
InstallerInformationalVersion, xrefs: 00007FF65708CB94
FavoritesFolder, xrefs: 00007FF65708CA8D
Date, xrefs: 00007FF65708CA17
StartMenuFolder, xrefs: 00007FF65708CF2F
RebootPending, xrefs: 00007FF65708CE6B
Privileged, xrefs: 00007FF65708CDBE
NTSuiteWebServer, xrefs: 00007FF65708CD5F
WixBundleExecutePackageCacheFolder, xrefs: 00007FF65708D1E8
Failed to insert variable., xrefs: 00007FF65708D541, 00007FF65708D648
WixBundleVersion, xrefs: 00007FF65708D3B2
Failed to add built-in variable: %ls., xrefs: 00007FF65708D744
PersonalFolder, xrefs: 00007FF65708CD8E
CommonFiles64Folder, xrefs: 00007FF65708C9CD
ProcessorArchitecture, xrefs: 00007FF65708CDEA
WixBundleCommandLineAction, xrefs: 00007FF65708D1DA
SystemFolder, xrefs: 00007FF65708CF73
Failed to add well-known variable: %ls., xrefs: 00007FF65708D728
Failed to find variable value., xrefs: 00007FF65708D4F8, 00007FF65708D5FF
WixBundleUILevel, xrefs: 00007FF65708D39D
TemplateFolder, xrefs: 00007FF65708D000
NTSuiteSmallBusinessRestricted, xrefs: 00007FF65708CD33
WixBundleName, xrefs: 00007FF65708D3EF
WixBundleExecutePackageAction, xrefs: 00007FF65708D1F6
MyPicturesFolder, xrefs: 00007FF65708CC03
NTSuiteSmallBusiness, xrefs: 00007FF65708CCB9
NTSuitePersonal, xrefs: 00007FF65708CCA2
ComputerName, xrefs: 00007FF65708CA43
SystemLanguageID, xrefs: 00007FF65708CFA8
WixBundleManufacturer, xrefs: 00007FF65708D412
WindowsFolder, xrefs: 00007FF65708D156
WixBundleProviderKey, xrefs: 00007FF65708D334
FontsFolder, xrefs: 00007FF65708CAA4
WixBundleLayoutDirectory, xrefs: 00007FF65708D3DC
WixBundleForcedRestartPackage, xrefs: 00007FF65708D204
TerminalServer, xrefs: 00007FF65708D017
Attempted to add well-known variable again: %ls, xrefs: 00007FF65708D697
NativeMachine, xrefs: 00007FF65708CC1A
AppDataFolder, xrefs: 00007FF65708C99A

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareCriticalErrorInitializeLastSectionString
String ID: AdminToolsFolder$AppDataFolder$Attempted to add built-in variable again: %ls$Attempted to add built-in variable as a well-known variable: %ls$Attempted to add well-known variable again: %ls$CommonAppDataFolder$CommonFiles6432Folder$CommonFiles64Folder$CommonFilesFolder$CompatibilityMode$ComputerName$Date$DesktopFolder$Failed to add built-in variable: %ls.$Failed to add well-known variable: %ls.$Failed to find variable value.$Failed to insert variable.$FavoritesFolder$FontsFolder$InstallerInformationalVersion$InstallerName$InstallerVersion$LocalAppDataFolder$LogonUser$MyPicturesFolder$NTProductType$NTSuiteBackOffice$NTSuiteDataCenter$NTSuiteEnterprise$NTSuitePersonal$NTSuiteSmallBusiness$NTSuiteSmallBusinessRestricted$NTSuiteWebServer$NativeMachine$PersonalFolder$Privileged$ProcessorArchitecture$ProgramFiles6432Folder$ProgramFiles64Folder$ProgramFilesFolder$ProgramMenuFolder$RebootPending$SeShutdownPrivilege$SendToFolder$ServicePackLevel$StartMenuFolder$StartupFolder$System64Folder$SystemFolder$SystemLanguageID$TempFolder$TemplateFolder$TerminalServer$UserLanguageID$UserUILanguageID$VersionMsi$VersionNT$VersionNT64$WindowsBuildNumber$WindowsFolder$WindowsVolume$WixBundleAction$WixBundleActiveParent$WixBundleCommandLineAction$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInProgressName$WixBundleInstalled$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleManufacturer$WixBundleName$WixBundleOriginalSource$WixBundleOriginalSourceFolder$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion$WixCanRestart$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 4291812786-1743442426
Opcode ID: ff25b12800e485d587359f330c611961e772e9d31e999867e8fd1db8584435af
Instruction ID: ba2247f8b2eb7975a6851c1f0b61651b5220927d6f2bab7bf0c611bf80a7cc2c
Opcode Fuzzy Hash: ff25b12800e485d587359f330c611961e772e9d31e999867e8fd1db8584435af
Instruction Fuzzy Hash: F1826D72615FC59AD771CF24EC806DA33E9FB08348F54423AD68C9AB28EF399265C744

Function 00007FF6570B6E7C Relevance: 47.5, APIs: 16, Strings: 11, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,00007FF6570B66D6), ref: 00007FF6570B6EA4
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570B66D6), ref: 00007FF6570B6EB2

Strings

Failed to set end of file., xrefs: 00007FF6570B721B
Failed to set file pointer to end of file., xrefs: 00007FF6570B71CD
d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B6EC0, 00007FF6570B6F31, 00007FF6570B6F74, 00007FF6570B6FE4, 00007FF6570B7085, 00007FF6570B70D4, 00007FF6570B714C, 00007FF6570B71AD, 00007FF6570B71FB, 00007FF6570B724E, 00007FF6570B7286
Failed to create file: %ls, xrefs: 00007FF6570B7177
Failed to set operation complete event., xrefs: 00007FF6570B6EE6
Failed to allocate buffer for stream., xrefs: 00007FF6570B70EA
Failed to reset begin operation event., xrefs: 00007FF6570B6F57
Invalid operation for this state., xrefs: 00007FF6570B6F8A, 00007FF6570B709B
Failed to copy stream name: %hs, xrefs: 00007FF6570B6FD8
Failed to wait for begin operation event., xrefs: 00007FF6570B6F04, 00007FF6570B7035
Failed to set file pointer to beginning of file., xrefs: 00007FF6570B726E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %hs$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 3848097054-1884393483
Opcode ID: a8b74cfa495588d78009c4780292179a37fd0ced6149dcba000e61800993c851
Instruction ID: 1462396d787d8f991477e9a723bac53fce93b736c0690ac7beb0594905df0b7b
Opcode Fuzzy Hash: a8b74cfa495588d78009c4780292179a37fd0ced6149dcba000e61800993c851
Instruction Fuzzy Hash: 4FC172A1B18B5ACAFB208F65E48077922E4BF58B50F48113ADA4DE7791DF2CF9198344

Function 00007FF6570F64C8 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 202
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF657081A28: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A58
Part of subcall function 00007FF657081A28: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A66

GetProcAddress.KERNEL32 ref: 00007FF6570F6545
GetCurrentProcess.KERNEL32 ref: 00007FF6570F655F
RegCloseKey.ADVAPI32 ref: 00007FF6570F67A3

Strings

kernel32.dll, xrefs: 00007FF6570F64F8
Failed to ensure array size for system TMP value., xrefs: 00007FF6570F6697
Failed to open system environment registry key., xrefs: 00007FF6570F6630
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp, xrefs: 00007FF6570F6521
System\CurrentControlSet\Control\Session Manager\Environment, xrefs: 00007FF6570F6600
TMP, xrefs: 00007FF6570F6651
SystemTemp, xrefs: 00007FF6570F658F
Failed to get system Windows subdirectory path SystemTemp., xrefs: 00007FF6570F65A1
Failed to get temp path from system TMP., xrefs: 00007FF6570F6663
Failed to check if running as system., xrefs: 00007FF6570F6577
Failed to get system Windows subdirectory path TEMP., xrefs: 00007FF6570F6748
Failed to load kernel32.dll, xrefs: 00007FF6570F650A
Failed to get temp path from system TEMP., xrefs: 00007FF6570F66D7
Failed to ensure array size for Windows\SystemTemp value., xrefs: 00007FF6570F65D0
Failed to ensure array size for Windows\TEMP value., xrefs: 00007FF6570F6774
TEMP, xrefs: 00007FF6570F66C5, 00007FF6570F6736
GetTempPath2W, xrefs: 00007FF6570F653E
Failed to ensure array size for system TEMP value., xrefs: 00007FF6570F670B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressCloseCurrentErrorLastLibraryLoadProcProcess
String ID: Failed to check if running as system.$Failed to ensure array size for Windows\SystemTemp value.$Failed to ensure array size for Windows\TEMP value.$Failed to ensure array size for system TEMP value.$Failed to ensure array size for system TMP value.$Failed to get system Windows subdirectory path SystemTemp.$Failed to get system Windows subdirectory path TEMP.$Failed to get temp path from system TEMP.$Failed to get temp path from system TMP.$Failed to load kernel32.dll$Failed to open system environment registry key.$GetTempPath2W$SystemTemp$System\CurrentControlSet\Control\Session Manager\Environment$TEMP$TMP$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path3utl.cpp$kernel32.dll
API String ID: 1593934338-44121869
Opcode ID: d7143471ebef5ca8d24d0d61062df50fdf6e171436cab278c51ccfab9e12d296
Instruction ID: 2f379886ae39cb343f6cc76c337626788fe4412b848f92e9d05585bbe428b540
Opcode Fuzzy Hash: d7143471ebef5ca8d24d0d61062df50fdf6e171436cab278c51ccfab9e12d296
Instruction Fuzzy Hash: 3C9182A2B08B0B86EB20CF25D8807B923A4BB45788F584131DA0DE7799EF7DE519C744

Function 00007FF6570EDAB4 Relevance: 36.8, APIs: 9, Strings: 12, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF6570EDB32
GetProcAddress.KERNEL32 ref: 00007FF6570EDB62
GetProcAddress.KERNEL32 ref: 00007FF6570EDB92
GetProcAddress.KERNEL32 ref: 00007FF6570EDBC2
GetProcAddress.KERNEL32 ref: 00007FF6570EDBF2
GetProcAddress.KERNEL32 ref: 00007FF6570EDC22
GetProcAddress.KERNEL32 ref: 00007FF6570EDC52
GetProcAddress.KERNEL32 ref: 00007FF6570EDC8C
GetProcAddress.KERNEL32 ref: 00007FF6570EDCB1

Strings

Msi.dll, xrefs: 00007FF6570EDACC
Failed to load Msi.DLL, xrefs: 00007FF6570EDAE3
MsiSetExternalUIRecord, xrefs: 00007FF6570EDBFF
MsiEndTransaction, xrefs: 00007FF6570EDCAA
MsiBeginTransactionW, xrefs: 00007FF6570EDC85
MsiDetermineApplicablePatchesW, xrefs: 00007FF6570EDB3F
MsiGetPatchInfoExW, xrefs: 00007FF6570EDB9F
MsiGetProductInfoExW, xrefs: 00007FF6570EDBCF
MsiDeterminePatchSequenceW, xrefs: 00007FF6570EDB2B
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp, xrefs: 00007FF6570EDAEF
MsiSourceListAddSourceExW, xrefs: 00007FF6570EDC2F
MsiEnumProductsExW, xrefs: 00007FF6570EDB6F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc
String ID: Failed to load Msi.DLL$Msi.dll$MsiBeginTransactionW$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEndTransaction$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wiutil.cpp
API String ID: 190572456-4147843358
Opcode ID: f2c52ce2770bdf847672b515e1dc474f5a71dca2f0b65a746359447ebc4db83c
Instruction ID: 50c83f57d7125e65d292d4aa2c0201344ff0d4d96d78a207a3d262c56b71f2a4
Opcode Fuzzy Hash: f2c52ce2770bdf847672b515e1dc474f5a71dca2f0b65a746359447ebc4db83c
Instruction Fuzzy Hash: 4C517DA0A19A4F89EF24DB51FC9427423A4BF84B84F4C0539D94EE7220EF7CA559C364

Function 00007FF65708BE2C Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF65708BE54

Part of subcall function 00007FF657089B6C: CompareStringW.KERNEL32 ref: 00007FF657089BCE
Part of subcall function 00007FF657089B6C: GetLastError.KERNEL32 ref: 00007FF657089BF3

LeaveCriticalSection.KERNEL32 ref: 00007FF65708C077
_cwprintf_s_l.LIBCMT ref: 00007FF65708C09D

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708BEEB, 00007FF65708C053
Failed to insert variable '%ls'., xrefs: 00007FF65708BEA5
Failed to find variable value '%ls'., xrefs: 00007FF65708BE76
Attempt to set built-in variable value: %ls, xrefs: 00007FF65708BF01
Setting hidden variable '%ls', xrefs: 00007FF65708BF42
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00007FF65708C08E
Setting %ls variable '%ls' to value '%ls', xrefs: 00007FF65708BFCE
Unsetting variable '%ls', xrefs: 00007FF65708BF7F, 00007FF65708BFEA
Setting numeric variable '%ls' to value %lld, xrefs: 00007FF65708BF97
Failed to set value of variable: %ls, xrefs: 00007FF65708C042
formatted, xrefs: 00007FF65708BFB7
Setting version variable '%ls' to value '%ls', xrefs: 00007FF65708BF8B
string, xrefs: 00007FF65708BFBE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString_cwprintf_s_l
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting %ls variable '%ls' to value '%ls'$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%ls'$Unsetting variable '%ls'$d:\a\wix4\wix4\src\burn\engine\variable.cpp$formatted$string
API String ID: 1673681053-2464245954
Opcode ID: d386d69a2b529bec333ce1dafe3e38c3269cf61878943cdff6c6323a97eab7b2
Instruction ID: 3f39e9a41597886475cfec0ce3888711a4b4f7b835b742b777a112eee78e3d7d
Opcode Fuzzy Hash: d386d69a2b529bec333ce1dafe3e38c3269cf61878943cdff6c6323a97eab7b2
Instruction Fuzzy Hash: 7E7192B1B0874A82EA34AB06E48427A63E1BF457D4F4C413ADA5DE77A5DF3CE549CB00

Function 00007FF6570E76E8 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 88
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF657081A28: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A58
Part of subcall function 00007FF657081A28: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A66

GetProcAddressForCaller.KERNELBASE(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E7715
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E7730
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E77B0
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E77CC
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E781D
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6570895EE), ref: 00007FF6570E7839

Strings

Failed to load an encryption method, xrefs: 00007FF6570E77FE
AdvApi32.dll, xrefs: 00007FF6570E76F5
Failed to load a decryption method, xrefs: 00007FF6570E786B
SystemFunction040, xrefs: 00007FF6570E770E
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp, xrefs: 00007FF6570E7789, 00007FF6570E77E0, 00007FF6570E784D
CryptProtectMemory, xrefs: 00007FF6570E77A9
CryptUnprotectMemory, xrefs: 00007FF6570E7816
SystemFunction041, xrefs: 00007FF6570E7722
Crypt32.dll, xrefs: 00007FF6570E7760
Failed to load Crypt32.dll, xrefs: 00007FF6570E7772

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc$ErrorLast$CallerLibraryLoad
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$Failed to load Crypt32.dll$Failed to load a decryption method$Failed to load an encryption method$SystemFunction040$SystemFunction041$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
API String ID: 1485715633-402918305
Opcode ID: c8d754dcebb0bcdda32ceb95da721a5f4649e71f8044152adca076483cb7a98f
Instruction ID: 8fc06bfbecb515750b45ff97aab447a39cdd470b02a1445dc1d43ccb049e5dc1
Opcode Fuzzy Hash: c8d754dcebb0bcdda32ceb95da721a5f4649e71f8044152adca076483cb7a98f
Instruction Fuzzy Hash: 2141F8A4A1DA4F89FF618B15EC8037422E5AF54785F9C5136C80EF66A0EFBDE949C310

Function 00007FF6570B72C0 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32 ref: 00007FF6570B72F0
CoUninitialize.COMBASE ref: 00007FF6570B7674

Strings

d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B730D, 00007FF6570B73A9, 00007FF6570B73D9, 00007FF6570B750D, 00007FF6570B7584, 00007FF6570B759E, 00007FF6570B7617, 00007FF6570B7641
Failed to set operation complete event., xrefs: 00007FF6570B7590
Failed to reset begin operation event., xrefs: 00007FF6570B7623
Invalid operation for this state., xrefs: 00007FF6570B7657
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00007FF6570B7532
Failed to initialize cabinet.dll., xrefs: 00007FF6570B73BF
<the>.cab, xrefs: 00007FF6570B740C
Failed to wait for begin operation event., xrefs: 00007FF6570B75D1
Failed to initialize COM., xrefs: 00007FF6570B7301

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 3442037557-242603754
Opcode ID: 7adcdc5a8a9af30590740795bf714f35760b2b2a20ca7a4185b08767b44b0a21
Instruction ID: e5f107762d80da4f855b34bc94e65ce288ef18c6a122c86398a617c39e6e46dd
Opcode Fuzzy Hash: 7adcdc5a8a9af30590740795bf714f35760b2b2a20ca7a4185b08767b44b0a21
Instruction Fuzzy Hash: CEB19DB1B0C60B86E7258B15E49067D26E4BF48740F5C123BDA4EE7B94DF6DFA088704

Function 00007FF6570FE140 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 195libraryCOMMON

Download Yara Rule

APIs

DloadAcquireSectionWriteAccess.DELAYIMP ref: 00007FF6570FE165

Part of subcall function 00007FF6570FDD94: DloadProtectSection.DELAYIMP ref: 00007FF6570FDE05

RaiseException.KERNEL32 ref: 00007FF6570FE1E7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6570FE1D3

Part of subcall function 00007FF6570FE0A4: DloadProtectSection.DELAYIMP ref: 00007FF6570FE103

LoadLibraryExA.KERNELBASE ref: 00007FF6570FE286
GetLastError.KERNEL32 ref: 00007FF6570FE294
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6570FE2C6
RaiseException.KERNEL32 ref: 00007FF6570FE2DA

Strings

H, xrefs: 00007FF6570FE1B4

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DloadSection$AccessWrite$ExceptionProtectRaiseRelease$AcquireErrorLastLibraryLoad
String ID: H
API String ID: 282135826-2852464175
Opcode ID: 4e34e669640002ee8d01061e8b33f596ebf32558e760d5e641b27431fa9a45f2
Instruction ID: ac0bcdd9f24f697521ea97c559cd9764fdb21bde45273295a99ec1619b5a24d2
Opcode Fuzzy Hash: 4e34e669640002ee8d01061e8b33f596ebf32558e760d5e641b27431fa9a45f2
Instruction Fuzzy Hash: 42911CB2A05B5A96EB54CF65D8486AC33E1FB08B58F0C5439DE0DA7754EF38E449C708

Function 00007FF657088E70 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 177windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF65709EB98: RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF65709EC98

IsWindow.USER32 ref: 00007FF65708907E
PostMessageW.USER32 ref: 00007FF657089096
CloseHandle.KERNEL32 ref: 00007FF6570890A5
CloseHandle.KERNEL32 ref: 00007FF6570890BD
CloseHandle.KERNEL32 ref: 00007FF6570890D0
CloseHandle.KERNEL32 ref: 00007FF6570890E2

Strings

Failed to launch clean room process: %ls, xrefs: 00007FF65708901E
Failed to wait for clean room process: %ls, xrefs: 00007FF65708904D
Failed to allocate full command-line., xrefs: 00007FF657088FCF
Failed to open clean room log., xrefs: 00007FF657088EDE
"%ls" %ls, xrefs: 00007FF657088FB6
d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF657088EEF, 00007FF65708905E
Failed to create clean room command-line., xrefs: 00007FF657088FA1
Failed to get path for current process., xrefs: 00007FF657088F21
Failed to cache to clean room., xrefs: 00007FF657088F61

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$Handle$MessagePostWindow
String ID: "%ls" %ls$Failed to allocate full command-line.$Failed to cache to clean room.$Failed to create clean room command-line.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to open clean room log.$Failed to wait for clean room process: %ls$d:\a\wix4\wix4\src\burn\engine\engine.cpp
API String ID: 417716614-4161841978
Opcode ID: bae6123957e4273f7784ba016ea0feb86eda75a7a8ff06c76d11c23fb709da8a
Instruction ID: 658287bfcda07b6d872c722a35727ab439d7cf671fcacaf861b1473d9994fb47
Opcode Fuzzy Hash: bae6123957e4273f7784ba016ea0feb86eda75a7a8ff06c76d11c23fb709da8a
Instruction Fuzzy Hash: 94817D62B28A5A8AFB109F61D8507F923A4FB44798F480231EA1DE7B95DF3CE159C300

Function 00007FF6570E84AC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000002,?,?,00007FF65709EFD4,?,?,?,00000000), ref: 00007FF6570E84E5
LeaveCriticalSection.KERNEL32 ref: 00007FF6570E874E

Strings

Failed to combine the log path., xrefs: 00007FF6570E854E
Failed to ensure log file directory exists: %ls, xrefs: 00007FF6570E85F0
failed to create log file: %ls, xrefs: 00007FF6570E869B
Failed to get log directory., xrefs: 00007FF6570E85C0
Failed to create log based on current system time., xrefs: 00007FF6570E8529
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E8602, 00007FF6570E867C, 00007FF6570E8733
Failed to expand the log path., xrefs: 00007FF6570E858A
Failed to copy log path., xrefs: 00007FF6570E871C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to combine the log path.$Failed to copy log path.$Failed to create log based on current system time.$Failed to ensure log file directory exists: %ls$Failed to expand the log path.$Failed to get log directory.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to create log file: %ls
API String ID: 3168844106-925379867
Opcode ID: 2e734120651806f2d16b40ebd5d3df471a4e83a6027f22c6eb85f537bd505229
Instruction ID: cf9c176ed7549c1d7ac8573f7f804a5439519d984ca4a10ed126b55e7e14b9f3
Opcode Fuzzy Hash: 2e734120651806f2d16b40ebd5d3df471a4e83a6027f22c6eb85f537bd505229
Instruction Fuzzy Hash: D8816DA2B08A0F86EB20DF65E8905B923E4AF84794F4C1535DD5DE7BA4DF3CE4488740

Function 00007FF657091534 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6570915A5
GetLastError.KERNEL32 ref: 00007FF6570915B7
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,?,?,00007FF657091807), ref: 00007FF65709161F
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,?,?,00007FF657091807), ref: 00007FF657091628
DuplicateHandle.KERNELBASE ref: 00007FF65709164A
GetLastError.KERNEL32 ref: 00007FF657091654
SetFilePointerEx.KERNELBASE ref: 00007FF6570916A9
GetLastError.KERNEL32 ref: 00007FF6570916B3

Strings

d:\a\wix4\wix4\src\burn\engine\container.cpp, xrefs: 00007FF6570915CB, 00007FF6570915F7, 00007FF657091668, 00007FF6570916C7, 00007FF65709171B
Failed to open file: %ls, xrefs: 00007FF6570915EB
Failed to open container., xrefs: 00007FF65709170A
Failed to move file pointer to container offset., xrefs: 00007FF6570916E7
Failed to duplicate handle to container: %ls, xrefs: 00007FF657091688

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$d:\a\wix4\wix4\src\burn\engine\container.cpp
API String ID: 2619879409-4109612866
Opcode ID: 580a574426d25143b1fe845e18140cefabf155fe4583366fdbb8ba1263da41e5
Instruction ID: 8eba8d7db4839689a54612833400ed0ba25dd4a30702a5ac8eabdb72bf4dbbcb
Opcode Fuzzy Hash: 580a574426d25143b1fe845e18140cefabf155fe4583366fdbb8ba1263da41e5
Instruction Fuzzy Hash: AF51ADB2B28B66C6E720CB16E84466922E4FB18B90F590139DD4DE3790DF3CE959C784

Function 00007FF6570810B0 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF65708543C: SetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085462
Part of subcall function 00007FF65708543C: GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085474
Part of subcall function 00007FF65708543C: GetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF65708547E

CreateFileW.KERNELBASE ref: 00007FF65708117F

Part of subcall function 00007FF657081728: HeapSetInformation.KERNEL32 ref: 00007FF657081749
Part of subcall function 00007FF657081728: GetLastError.KERNEL32 ref: 00007FF65708176F
Part of subcall function 00007FF657081728: GetLastError.KERNEL32 ref: 00007FF65708179C

CloseHandle.KERNEL32 ref: 00007FF6570811FD

Strings

cabinet.dll, xrefs: 00007FF6570810D5
feclient.dll, xrefs: 00007FF657081145
wininet.dll, xrefs: 00007FF65708110E
version.dll, xrefs: 00007FF6570810FC
D:\a\wix4\wix4\src\burn\stub\stub.cpp, xrefs: 00007FF6570811DA
msi.dll, xrefs: 00007FF6570810EC
clbcatq.dll, xrefs: 00007FF657081124
comres.dll, xrefs: 00007FF657081119
crypt32.dll, xrefs: 00007FF65708113A
msasn1.dll, xrefs: 00007FF65708112F
Failed to run application., xrefs: 00007FF6570811CE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateHandleHeapInformationModuleName
String ID: D:\a\wix4\wix4\src\burn\stub\stub.cpp$Failed to run application.$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 1668717245-1077387440
Opcode ID: 3ccf7bc6d4935e85ba92efac8401e58cf0f84e35340b10170e0968822d1386aa
Instruction ID: f5114f1ee1eef9a54021570e1f3e298c0c0b8ed8a3671fc3d1f9f7b89ad5b1e0
Opcode Fuzzy Hash: 3ccf7bc6d4935e85ba92efac8401e58cf0f84e35340b10170e0968822d1386aa
Instruction Fuzzy Hash: C6413CB2B19B4699FB10DB61E8503A933E4AF48768F480235DD5DE2794EF3CE119C344

Function 00007FF6570B66F0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE ref: 00007FF6570B6744
GetCurrentProcess.KERNEL32 ref: 00007FF6570B6753
GetCurrentProcess.KERNEL32 ref: 00007FF6570B675C
DuplicateHandle.KERNELBASE ref: 00007FF6570B6782
GetLastError.KERNEL32 ref: 00007FF6570B678C
CreateFileA.KERNEL32 ref: 00007FF6570B683D
GetLastError.KERNEL32 ref: 00007FF6570B684D

Strings

Failed to add virtual file pointer for cab container., xrefs: 00007FF6570B680B
d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B67A0, 00007FF6570B67CE, 00007FF6570B6861, 00007FF6570B6890
Failed to duplicate handle to cab container., xrefs: 00007FF6570B67C0
Failed to open cabinet file: %hs, xrefs: 00007FF6570B687F
<the>.cab, xrefs: 00007FF6570B670B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 3030546534-373254902
Opcode ID: 36aeb0f077e8e6d3bcab6fa8a93048137311a701b94667b809691f3c98990815
Instruction ID: 698b5ebe64f3eafc4141375ef8177a1e1190ce4f4b9951831c7c3be5dd0137a5
Opcode Fuzzy Hash: 36aeb0f077e8e6d3bcab6fa8a93048137311a701b94667b809691f3c98990815
Instruction Fuzzy Hash: A751C2B1B18B4582E710CF51E48076A27E4FB48B90F480239DA9DD3794CF7CE519C744

Function 00007FF6570B7964 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF6570B79A7
GetLastError.KERNEL32 ref: 00007FF6570B79B6

Strings

Failed to create begin operation event., xrefs: 00007FF6570B79EA
Failed to create operation complete event., xrefs: 00007FF6570B7A45
Failed to wait for operation complete., xrefs: 00007FF6570B7AC4
Failed to create extraction thread., xrefs: 00007FF6570B7AAA
d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B79CA, 00007FF6570B7A25, 00007FF6570B7A8A, 00007FF6570B7AD5
Failed to copy file name., xrefs: 00007FF6570B7988

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 545576003-2441605526
Opcode ID: ec51110445c90a18dd0a850491692b75788af5036563afb27417c28084b248ce
Instruction ID: 6760a7c4074dfd12e620a297ff28f269ec55af32836cc965ab952d9a61b73e1b
Opcode Fuzzy Hash: ec51110445c90a18dd0a850491692b75788af5036563afb27417c28084b248ce
Instruction Fuzzy Hash: 4F41C4A1B1874A8AF7609B79E48077922D4BF98760F58113AD90DE7791DF3CF6198304

Function 00007FF6570F1C08 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657081A28: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A58
Part of subcall function 00007FF657081A28: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A66

CoTaskMemFree.OLE32 ref: 00007FF6570F1D62
FreeLibrary.KERNEL32 ref: 00007FF6570F1D72

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 00007FF6570F1C66, 00007FF6570F1C9B, 00007FF6570F1D44
SHGetKnownFolderPath, xrefs: 00007FF6570F1C84
Failed to load shell32.dll., xrefs: 00007FF6570F1C4F
Failed to find SHGetKnownFolderPath entry point., xrefs: 00007FF6570F1CB1
Failed to backslash terminate shell folder path: %ls, xrefs: 00007FF6570F1D32
Failed to get known folder path., xrefs: 00007FF6570F1CD8
Failed to copy shell folder path: %ls, xrefs: 00007FF6570F1D0E
shell32.dll, xrefs: 00007FF6570F1C2C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeLibrary$ErrorLastLoadTask
String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to find SHGetKnownFolderPath entry point.$Failed to get known folder path.$Failed to load shell32.dll.$SHGetKnownFolderPath$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp$shell32.dll
API String ID: 3444712580-2659096373
Opcode ID: 744b55a3f1a22f1e5c26f0793c575aa380f9337dbc3496ecdbd2fdf977bea8a8
Instruction ID: 7ba3b631823d0d1ea6cfa05cb3f53e06b02caa1865cd1f6fcebf54d86fd2b4cf
Opcode Fuzzy Hash: 744b55a3f1a22f1e5c26f0793c575aa380f9337dbc3496ecdbd2fdf977bea8a8
Instruction Fuzzy Hash: E9414FA1B1CB4A82EB108B12E48037927A1EF89790F484136D94DE7B64DF3DE549CB48

Function 00007FF6570A91E0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6570A9DA2,?,?,?,00000000,?,?,?,00007FF657088F9B), ref: 00007FF6570A9207
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6570A9DA2,?,?,?,00000000,?,?,?,00007FF657088F9B), ref: 00007FF6570A9210
DuplicateHandle.KERNELBASE ref: 00007FF6570A9239
GetLastError.KERNEL32 ref: 00007FF6570A9243
CloseHandle.KERNEL32 ref: 00007FF6570A92EC

Strings

Failed to append the file handle to the command line., xrefs: 00007FF6570A92C9
burn.filehandle.attached, xrefs: 00007FF6570A92AD
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570A9257, 00007FF6570A9285
-%ls=%Iu, xrefs: 00007FF6570A92B4
Failed to duplicate file handle for attached container., xrefs: 00007FF6570A9277

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$d:\a\wix4\wix4\src\burn\engine\core.cpp
API String ID: 4224961946-761155037
Opcode ID: 05a9ff7a00f17664ffa273747c6835349083bcbaf57dd01e3c6d1667ddbf1e4f
Instruction ID: 59a22d17a95f66819ffc3eeea7b520eea1f2cd1f214363cdddb9f8780921b240
Opcode Fuzzy Hash: 05a9ff7a00f17664ffa273747c6835349083bcbaf57dd01e3c6d1667ddbf1e4f
Instruction Fuzzy Hash: E931A1B1B08B4686EB109F16E88026A77A4BB887A4F580235DE4DE37A4DF7CE059C744

Function 00007FF6570E887C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000,00000001,00007FF6570E7C45), ref: 00007FF6570E8898
WriteFile.KERNELBASE(?,?,?,?,?,00000000,00000001,00007FF6570E7C45), ref: 00007FF6570E8990
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000001,00007FF6570E7C45), ref: 00007FF6570E899A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,00000001,00007FF6570E7C45), ref: 00007FF6570E8A19

Strings

Failed to get length of raw string, xrefs: 00007FF6570E890B
Failed to write output to log: %ls - %hs, xrefs: 00007FF6570E89F9
Failed to concatenate string to pre-init buffer, xrefs: 00007FF6570E895D
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E88FA, 00007FF6570E891F, 00007FF6570E89C8, 00007FF6570E89E0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeaveWrite
String ID: Failed to concatenate string to pre-init buffer$Failed to get length of raw string$Failed to write output to log: %ls - %hs$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
API String ID: 1726892732-492501437
Opcode ID: c1764fad8848d23bf1665b4f293170b41e4aa1ba0d3e3a119a87483487ba6b30
Instruction ID: 2facbef1202debc593afc668ddef0f5045fb87f94e87425d654dc69bfc26dd49
Opcode Fuzzy Hash: c1764fad8848d23bf1665b4f293170b41e4aa1ba0d3e3a119a87483487ba6b30
Instruction Fuzzy Hash: 4841ADA1F18A4F85EB219F26E8801796291AF947A0F5C1235DD5DF7BE4DF3CE9098700

Function 00007FF6570879E8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE ref: 00007FF657087A0C
GetLastError.KERNEL32 ref: 00007FF657087A1A

Part of subcall function 00007FF657087B5C: GetFileAttributesW.KERNEL32 ref: 00007FF657087B6B

CreateDirectoryW.KERNEL32 ref: 00007FF657087ACC
GetLastError.KERNEL32 ref: 00007FF657087AD6

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp, xrefs: 00007FF657087AAC, 00007FF657087B04, 00007FF657087B34
cannot find parent path, xrefs: 00007FF657087B1A
\, xrefs: 00007FF657087A54
failed to create path: %ls, xrefs: 00007FF657087AA0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateDirectoryErrorLast$AttributesFile
String ID: \$cannot find parent path$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp$failed to create path: %ls
API String ID: 925696554-4176349969
Opcode ID: f1714b901ff161b150b00ad0a6fb30e36d1d53899da701369655220b220eef56
Instruction ID: 7d0ed33f44d62fb4d98cf68470024bdcd0054a49fc125c5a33fb96a1a6819bf3
Opcode Fuzzy Hash: f1714b901ff161b150b00ad0a6fb30e36d1d53899da701369655220b220eef56
Instruction Fuzzy Hash: C141A2A1B0C74A8AEB209B52A59027A72D2BF84BC0F4C5031DA4DF7759EF3CE959C744

Function 00007FF657088018 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF657089589), ref: 00007FF657088056
InitializeCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF657089589), ref: 00007FF657088063
InitializeCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF657089589), ref: 00007FF65708807A
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF657089589), ref: 00007FF65708809E

Part of subcall function 00007FF6570E8E18: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8E3A
Part of subcall function 00007FF6570E8E18: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8E44
Part of subcall function 00007FF6570E8E18: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8F25

Part of subcall function 00007FF6570AB24C: CompareStringW.KERNEL32 ref: 00007FF6570AB2D8
Part of subcall function 00007FF6570AB24C: CompareStringW.KERNEL32 ref: 00007FF6570AB30B
Part of subcall function 00007FF6570AB24C: CompareStringW.KERNEL32 ref: 00007FF6570AB33F
Part of subcall function 00007FF6570AB24C: CompareStringW.KERNEL32 ref: 00007FF6570AB373
Part of subcall function 00007FF6570AB24C: CompareStringW.KERNEL32 ref: 00007FF6570AB3A7

Strings

Failed to initialize internal cache functionality., xrefs: 00007FF657088130
Failed to initialize engine section., xrefs: 00007FF65708810D
d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF657088141
Fatal error while parsing command line., xrefs: 00007FF6570880E6

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString$CriticalInitializeSection$Process$CloseCurrentErrorHandleLastOpenToken
String ID: Failed to initialize engine section.$Failed to initialize internal cache functionality.$Fatal error while parsing command line.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
API String ID: 268551788-2320754317
Opcode ID: 42432ae88bd107c23b7aa40bb498d589d0f96d6003efd884acea9435c5eee8fc
Instruction ID: a5096d99fd0a88daa2083af289ff772317f076e9bb15186714c24590c09518a4
Opcode Fuzzy Hash: 42432ae88bd107c23b7aa40bb498d589d0f96d6003efd884acea9435c5eee8fc
Instruction Fuzzy Hash: 0C31A371709B8685EB20DF51E8406E933A4FB49798F480231DA5CE7B95EF7CE25AC300

Function 00007FF6570E8E18 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8E3A
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8E44
GetTokenInformation.KERNELBASE(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8E9F
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,00007FF6570880B3,?,?,?,?,00000000,00007FF657089589), ref: 00007FF6570E8F25

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E8E58, 00007FF6570E8EE2, 00007FF6570E8F0B
Failed to get elevation token from process., xrefs: 00007FF6570E8EF3
Failed to open process token., xrefs: 00007FF6570E8E78

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastOpenProcess
String ID: Failed to get elevation token from process.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 3370771294-1812211342
Opcode ID: 38ed1fb0a8f90a3d5dfb85c646750d73fb2bfd1109399e7609f7eff655dcee40
Instruction ID: 8e49a5550862baf76787ede5dd27bfc72ec2ff251097671a31dab48478619caf
Opcode Fuzzy Hash: 38ed1fb0a8f90a3d5dfb85c646750d73fb2bfd1109399e7609f7eff655dcee40
Instruction Fuzzy Hash: 8A3181B2B1874ACAEB109F61D8812BA33E5EB94B54F484139DA0ED32A0DF3CE548C744

Function 00007FF6570EEE04 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 45COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(?,?,?,?,00000000,00007FF657089653), ref: 00007FF6570EEE15
CLSIDFromProgID.COMBASE(?,?,?,?,00000000,00007FF657089653), ref: 00007FF6570EEE81
CLSIDFromProgID.OLE32(?,?,?,?,00000000,00007FF657089653), ref: 00007FF6570EEE99

Strings

Msxml2.DOMDocument, xrefs: 00007FF6570EEE7A
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EEE3F
failed to initialize COM, xrefs: 00007FF6570EEE28
failed to get CLSID for XML DOM, xrefs: 00007FF6570EEEA5
MSXML.DOMDocument, xrefs: 00007FF6570EEE92

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FromProg$Initialize
String ID: MSXML.DOMDocument$Msxml2.DOMDocument$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to get CLSID for XML DOM$failed to initialize COM
API String ID: 4047641309-3267221515
Opcode ID: dffb43baaddad9bc6bdb51b739d96642f4a3a695025360941462ed5dcd0f4e73
Instruction ID: f955c1d90168f2dfaf70e37a5f2f1da9f6846d630c615cd4b963f38a1f39df22
Opcode Fuzzy Hash: dffb43baaddad9bc6bdb51b739d96642f4a3a695025360941462ed5dcd0f4e73
Instruction Fuzzy Hash: 6611CBA0A1865F8AFB619B55E88427523E5AF54318F9C0036C80DE23A4EF7DF68D8714

Function 00007FF6570F3128 Relevance: 13.6, APIs: 5, Strings: 4, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570F3164
GlobalAlloc.KERNEL32 ref: 00007FF6570F31C9
GetLastError.KERNEL32 ref: 00007FF6570F3214
GetLastError.KERNEL32 ref: 00007FF6570F328E
GlobalFree.KERNEL32 ref: 00007FF6570F32D9

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F3181, 00007FF6570F31A9, 00007FF6570F31DC, 00007FF6570F3231, 00007FF6570F3259, 00007FF6570F32AB
failed to get version value for file: %ls, xrefs: 00007FF6570F32BC
failed to get version info for file: %ls, xrefs: 00007FF6570F3192, 00007FF6570F3242
failed to allocate version info for file: %ls, xrefs: 00007FF6570F31F2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to allocate version info for file: %ls$failed to get version info for file: %ls$failed to get version value for file: %ls
API String ID: 1145190524-120110023
Opcode ID: 39d30e47cf5d98fbb08267685f51a69969a6f4ec8c60af5f2ef1cbb306806ffd
Instruction ID: eec4be0a5cb28de9419ca4455bb1cbcfea226ab3389365297bd78ca2f9f55d69
Opcode Fuzzy Hash: 39d30e47cf5d98fbb08267685f51a69969a6f4ec8c60af5f2ef1cbb306806ffd
Instruction Fuzzy Hash: E85180B1B18B4A86E7209F56E8801B9B3E4BB44BA0F5C413ADE4DE3751DF3CE5498718

Function 00007FF6570B68E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE ref: 00007FF6570B6956
GetLastError.KERNEL32 ref: 00007FF6570B6960
ReadFile.KERNELBASE ref: 00007FF6570B69DC
GetLastError.KERNEL32 ref: 00007FF6570B69E6

Strings

Failed to read during cabinet extraction., xrefs: 00007FF6570B6A16
d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B6969, 00007FF6570B69A4, 00007FF6570B69FA, 00007FF6570B6A28
Failed to move to virtual file pointer., xrefs: 00007FF6570B6992

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to move to virtual file pointer.$Failed to read during cabinet extraction.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 2170121939-693781326
Opcode ID: 0ed86816ffb5f291a339978eed2719b9eb369ea735997d4a2ce8bf672f78d7e3
Instruction ID: 55e00c5444bfb16290ee9499e37b4dab0279662530d86aafb0f40a66e5a37e2d
Opcode Fuzzy Hash: 0ed86816ffb5f291a339978eed2719b9eb369ea735997d4a2ce8bf672f78d7e3
Instruction Fuzzy Hash: 0B41A872B18A4586F7219F26F84066A67E4FB98B90F480139DE8ED7764DF3CE145C700

Function 00007FF6570F0D4C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 91COMMON

Download Yara Rule

Strings

Failed to canonicalize wzPath1., xrefs: 00007FF6570F0D93
Failed to canonicalize wzPath2., xrefs: 00007FF6570F0DBC
Failed to compare canonicalized paths., xrefs: 00007FF6570F0E2B
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00007FF6570F0E0B, 00007FF6570F0E46, 00007FF6570F0E70
Both paths are required., xrefs: 00007FF6570F0E5C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Both paths are required.$Failed to canonicalize wzPath1.$Failed to canonicalize wzPath2.$Failed to compare canonicalized paths.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
API String ID: 0-2188151180
Opcode ID: fede792173ae96eece8cb60ed36197cea2215e18a9e17279548623fb713c1418
Instruction ID: 0f713f88174127679e858efac0c46a8c82abf61a3128e66d50b102de7c2eb7b2
Opcode Fuzzy Hash: fede792173ae96eece8cb60ed36197cea2215e18a9e17279548623fb713c1418
Instruction Fuzzy Hash: A731E4A1B1874A86FB20CB55E8503BA27E0EF88794F884135D90DE3795DF3CE908C744

Function 00007FF657081AE4 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 84COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 00007FF657081B2C, 00007FF657081B84, 00007FF657081BC7
Failed to get the Windows system directory., xrefs: 00007FF657081B20
Failed to load the library %ls., xrefs: 00007FF657081BF3
%ls%ls, xrefs: 00007FF657081B4E
Failed to create the fully-qualified path to %ls., xrefs: 00007FF657081B6D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: %ls%ls$Failed to create the fully-qualified path to %ls.$Failed to get the Windows system directory.$Failed to load the library %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
API String ID: 0-242608188
Opcode ID: 67ef53d6fb76c82031dae7dc45e5c0847792aa4b6c13489baefde53258fd5f2a
Instruction ID: 8c3b6acf68b34725b58cdcef131bbb4075569e8cfb15ebb8a36d62affb858dc0
Opcode Fuzzy Hash: 67ef53d6fb76c82031dae7dc45e5c0847792aa4b6c13489baefde53258fd5f2a
Instruction Fuzzy Hash: B7317FB2B18B4682E7108B15E48036977E4FF84B90F58013ADA8DD77A5EF3CE559CB44

Function 00007FF6570E67B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32 ref: 00007FF6570E684E
GetLastError.KERNEL32 ref: 00007FF6570E6859

Strings

Failed to parse command line., xrefs: 00007FF6570E688D
Failed to initialize command line., xrefs: 00007FF6570E67F0
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\app2util.cpp, xrefs: 00007FF6570E6807, 00007FF6570E686D
ignored , xrefs: 00007FF6570E67D7
Failed to copy command line., xrefs: 00007FF6570E6836

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: Failed to copy command line.$Failed to initialize command line.$Failed to parse command line.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\app2util.cpp$ignored
API String ID: 3459693003-1494111247
Opcode ID: 9d40f0f7c73836f8c8e5373fdfa9186b3953c36ccd197477d62e72ff3c91e7d9
Instruction ID: ff873414491af72941cea643e5376dac72ad12083af3e9a78a27e5459dac8cda
Opcode Fuzzy Hash: 9d40f0f7c73836f8c8e5373fdfa9186b3953c36ccd197477d62e72ff3c91e7d9
Instruction Fuzzy Hash: AA316BA2B18B4AC6EB10DF15E88076A77E1FB84780F484136DA4DE3B95DE3CE509C704

Function 00007FF6570A9308 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF6570A9367
CloseHandle.KERNEL32 ref: 00007FF6570A940A

Strings

Failed to append the file handle to the command line., xrefs: 00007FF6570A9399
Failed to append the file handle to the obfuscated command line., xrefs: 00007FF6570A93EC
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570A93AA
burn.filehandle.self, xrefs: 00007FF6570A937D, 00007FF6570A93D0
-%ls=%Iu, xrefs: 00007FF6570A9384, 00007FF6570A93D7

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: -%ls=%Iu$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self$d:\a\wix4\wix4\src\burn\engine\core.cpp
API String ID: 3498533004-2018830601
Opcode ID: 2c5df6709ce8b56ce8360d0c2c22f3e1b031a008ac5ae8c2b80303a8fdf89c6d
Instruction ID: 0e05ff87761280b14f5adb6b0c3a058321d07c1536c2ceecd3a92a373c11ca77
Opcode Fuzzy Hash: 2c5df6709ce8b56ce8360d0c2c22f3e1b031a008ac5ae8c2b80303a8fdf89c6d
Instruction Fuzzy Hash: 33319C72B18B4A85EB108B11D8445A933E4BB487B4F584331D97CE77D0DF7DE55A8700

Function 00007FF6570EAD6C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 138stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,PackageCache,WiX\Burn,?,?,?,00007FF6570EA998), ref: 00007FF6570EAF16

Part of subcall function 00007FF657086A48: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A51
Part of subcall function 00007FF657086A48: RtlFreeHeap.NTDLL(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A5F
Part of subcall function 00007FF657086A48: GetLastError.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A6B

Strings

PackageCache, xrefs: 00007FF6570EAD82
Failed to get size of raw registry value., xrefs: 00007FF6570EADD3
WiX\Burn, xrefs: 00007FF6570EAD80
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EADEA, 00007FF6570EAE8C, 00007FF6570EAEF8
Failed to allocate buffer for raw registry value., xrefs: 00007FF6570EAEA2
Failed to read raw registry value., xrefs: 00007FF6570EAE76
Failed to expand registry value: %ls, xrefs: 00007FF6570EAEE7

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcesslstrlen
String ID: Failed to allocate buffer for raw registry value.$Failed to expand registry value: %ls$Failed to get size of raw registry value.$Failed to read raw registry value.$PackageCache$WiX\Burn$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 1805815496-2559918165
Opcode ID: 8c19b1b00cf8b08b12845aebfda0f427108407bbfc06537a5cf743504ee2fd50
Instruction ID: 9737de57000e3d0a1ff689631b7504575d8c14e4704514839d040b3dabadbdce
Opcode Fuzzy Hash: 8c19b1b00cf8b08b12845aebfda0f427108407bbfc06537a5cf743504ee2fd50
Instruction Fuzzy Hash: 5851ADF1B09B5B85EB209B52A48027A32E1EF89B94F588136DE4DE7751DF3DE449C300

Function 00007FF6570F5F8C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570F6031

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp, xrefs: 00007FF6570F5FEC, 00007FF6570F6112, 00007FF6570F613D
Failed to allocate space for expanded path., xrefs: 00007FF6570F60DC
Failed to get max length of input buffer., xrefs: 00007FF6570F5FD6
Failed to expand environment variables in string: %ls, xrefs: 00007FF6570F611E
Failed to re-allocate more space for expanded path., xrefs: 00007FF6570F60ED
Failed to get max length of written input buffer., xrefs: 00007FF6570F615F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to get max length of written input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\env2util.cpp
API String ID: 1452528299-33012345
Opcode ID: 0013e021e670484a279ca5946d82639de24c974ab2ea8a11bc299b73e1ce5e5c
Instruction ID: ee767a54c2f04caa26d2ceacca28bd0540bc0c36f7eabea97100ba9bb6c2e15b
Opcode Fuzzy Hash: 0013e021e670484a279ca5946d82639de24c974ab2ea8a11bc299b73e1ce5e5c
Instruction Fuzzy Hash: 7651B3A5B0874A82EB20DF16D98057A63E4BF44790F1C4235DE0DE3791EF3DE9199308

Function 00007FF6570EEEC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 124COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6570EEF13

Part of subcall function 00007FF6570EE4B8: GetModuleHandleA.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE4F7
Part of subcall function 00007FF6570EE4B8: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570EEF27), ref: 00007FF6570EE509

Strings

failed loadXML, xrefs: 00007FF6570EF04B
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EEF5C, 00007FF6570EEFA7
failed put_resolveExternals, xrefs: 00007FF6570EEFDB
failed XmlCreateDocument, xrefs: 00007FF6570EEF3D
failed put_validateOnParse, xrefs: 00007FF6570EEF90

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed loadXML$failed put_resolveExternals$failed put_validateOnParse
API String ID: 52713655-3681987369
Opcode ID: 1f3dcb7df1545f6f33462148bd07c74ca6560f1befc8b4b5d3bd1dbd089af84f
Instruction ID: ae8a1917aaf6e4b97793c859ae06001fdce7784125a6325025a484e6aaee6ed1
Opcode Fuzzy Hash: 1f3dcb7df1545f6f33462148bd07c74ca6560f1befc8b4b5d3bd1dbd089af84f
Instruction Fuzzy Hash: CF518E72B04A4A96EB11CF65D8406ED33A1FB88B98F894031CE0DE7768DF39E55AC344

Function 00007FF6570DE2B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE2C7
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE2FD
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE32A
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE33B
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE34C
SetLastError.KERNEL32(?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE367

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6262d057a812f5c2f928db953ebc8865f7822feda257fda2b0ccab29179fa8de
Instruction ID: c2f51f41744297a3092d5a2f18c40ba6fb00c60eac67aa67cef14ea013f407f5
Opcode Fuzzy Hash: 6262d057a812f5c2f928db953ebc8865f7822feda257fda2b0ccab29179fa8de
Instruction Fuzzy Hash: 65116DA0E0C34B42FB68AB31954513E61D26F84BB4F5C0734E82EE66D6DE7CB44A4208

Function 00007FF6570B6A70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE ref: 00007FF6570B6B6E
GetLastError.KERNEL32 ref: 00007FF6570B6B78

Strings

d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B6AD8, 00007FF6570B6B8C, 00007FF6570B6BBC
Invalid seek type., xrefs: 00007FF6570B6AC7
Failed to move file pointer 0x%x bytes., xrefs: 00007FF6570B6BAC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 2976181284-2861879377
Opcode ID: b25aeacc7a5ecf52bfd3d6918e6d373c1f59895f061c1cfa0569b1339377962d
Instruction ID: 2cb201ae974c9b903a7539950b9e968a2e15858b368541ae4fd98546183eb101
Opcode Fuzzy Hash: b25aeacc7a5ecf52bfd3d6918e6d373c1f59895f061c1cfa0569b1339377962d
Instruction Fuzzy Hash: C541F6B2B18A4986EB208F15E450A6DB3E4FF84B94F084136DA8DE7B54CF3CEA45C700

Function 00007FF6570F1D8C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00000005,00000000,?,?,00000000,00007FF6570A1D0C), ref: 00007FF6570F1DFE
GetLastError.KERNEL32 ref: 00007FF6570F1E50

Part of subcall function 00007FF6570F35EC: WriteFile.KERNELBASE ref: 00007FF6570F363F
Part of subcall function 00007FF6570F35EC: GetLastError.KERNEL32 ref: 00007FF6570F3649

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F1E64, 00007FF6570F1E98
Failed to write to target., xrefs: 00007FF6570F1E42
Failed to read from source., xrefs: 00007FF6570F1E84

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLast$ReadWrite
String ID: Failed to read from source.$Failed to write to target.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 277903624-3357669501
Opcode ID: c3623f6dce8561f4e16c1ea28ea20801cc825525acd0a3b2ccc0281a51f03d9c
Instruction ID: 97f3991245287aebb10b8238a6ddee78ed4beffd7011edd29743ac83855673ab
Opcode Fuzzy Hash: c3623f6dce8561f4e16c1ea28ea20801cc825525acd0a3b2ccc0281a51f03d9c
Instruction Fuzzy Hash: 7C31D662B2878687E7208B26A8407A662D4BB847D4F4C0035EE4DD7744EE7CE5498B04

Function 00007FF6570AA168 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00007FF6570AA222
GetLastError.KERNEL32 ref: 00007FF6570AA22C

Strings

CreateProcessW failed with return code: %d, xrefs: 00007FF6570AA263
h, xrefs: 00007FF6570AA1FC
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570AA252, 00007FF6570AA273

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: CreateProcessW failed with return code: %d$d:\a\wix4\wix4\src\burn\engine\core.cpp$h
API String ID: 2919029540-2795142421
Opcode ID: 63136635b7cc7fff6d37b532b63b2002f07edd3706672013ec74a1decf7ef047
Instruction ID: 1b34c570095d6b91cb9bc34f47e76f9f62039eebc7304930e641c679f6d902b9
Opcode Fuzzy Hash: 63136635b7cc7fff6d37b532b63b2002f07edd3706672013ec74a1decf7ef047
Instruction Fuzzy Hash: B731AFB6B18B9486D7608F12E84075AB3E5FB98B90F484136DA8CD3B54CF3CD954CB00

Function 00007FF6570F67D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F687B

Strings

SOFTWARE\Policies\, xrefs: 00007FF6570F67EB
Failed to combine logging path with root path., xrefs: 00007FF6570F67FD
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00007FF6570F6814
Failed to open policy registry key., xrefs: 00007FF6570F6861

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to combine logging path with root path.$Failed to open policy registry key.$SOFTWARE\Policies\$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
API String ID: 3535843008-3658365009
Opcode ID: f7273862b057bd86da3c46715ec3fe7e3719a310ee2464a2ca2d4ba82921e5ab
Instruction ID: c08efc2de4a4fe11a0c28d6ad1518e0092f9f1908cc3d6dc0b20a3c5ade9e7a2
Opcode Fuzzy Hash: f7273862b057bd86da3c46715ec3fe7e3719a310ee2464a2ca2d4ba82921e5ab
Instruction Fuzzy Hash: 1921E4A1B0CB4BC2FB108F92E89037A6394AF447A0F4C4639DA1DE3795DF6CE4098704

Function 00007FF6570E9750 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570818F4: WaitForSingleObject.KERNEL32 ref: 00007FF6570818FC

GetExitCodeProcess.KERNELBASE ref: 00007FF6570E97B5
GetLastError.KERNEL32(?,?,?,?,?,00007FF657089042), ref: 00007FF6570E97BF

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E9794, 00007FF6570E97D3
Failed to wait for process to complete., xrefs: 00007FF6570E977D
Failed to get process return code., xrefs: 00007FF6570E97F3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CodeErrorExitLastObjectProcessSingleWait
String ID: Failed to get process return code.$Failed to wait for process to complete.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 1402617016-1146304469
Opcode ID: b58a270557d855a03ee4fa10c8ab8fbd562e98b6f65b554e0cebba0a7ff55790
Instruction ID: abbdd1e4a1340cecd31cb9e28912c5c9e601767660b65795856c770ad4c20bf7
Opcode Fuzzy Hash: b58a270557d855a03ee4fa10c8ab8fbd562e98b6f65b554e0cebba0a7ff55790
Instruction Fuzzy Hash: 491193A0F1874A86FF108F66E98027662D1AF44B90F5C0135DE4CE3764DE2CD949C705

Function 00007FF6570F5BF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4 ref: 00007FF6570F5C1C
StringFromGUID2.OLE32(?,?,?,?,?,?,?,?,?,00007FF6570A19A9,?,?,?,?,?,00007FF6570A5048), ref: 00007FF6570F5C45

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\guidutil.cpp, xrefs: 00007FF6570F5C5A, 00007FF6570F5C7C
Failed to convert guid into string., xrefs: 00007FF6570F5C68
UuidCreate failed., xrefs: 00007FF6570F5C29

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: Failed to convert guid into string.$UuidCreate failed.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\guidutil.cpp
API String ID: 4041566446-2208176607
Opcode ID: cd3b1b1c901f0fd644786a3a336bff44b11559b46f2e1844788a9fd255fd8d48
Instruction ID: ad35c585a10ce01ce0d1bf828f8daf74a8d25864774b7b4cfbc1c461edadf5e7
Opcode Fuzzy Hash: cd3b1b1c901f0fd644786a3a336bff44b11559b46f2e1844788a9fd255fd8d48
Instruction Fuzzy Hash: 11116071B18B4986EB208F12E8801B973E5BB89B90F480135DA5DE7754EF3DE609CB44

Function 00007FF6570F6AEC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F6BE3

Strings

Failed to open policy key: %ls, name: %ls, xrefs: 00007FF6570F6BA9
Failed to open policy key: %ls, xrefs: 00007FF6570F6B33
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00007FF6570F6B53, 00007FF6570F6BBA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
API String ID: 3535843008-3938230626
Opcode ID: 7b1ebd2ef746dce9c00f325ad910bad3deac876e2e27e991bf2dfa9a74b80cfa
Instruction ID: 51b35da3da521804de593ab5d95ea71d9de8361c052482cb366df5c468f1cd91
Opcode Fuzzy Hash: 7b1ebd2ef746dce9c00f325ad910bad3deac876e2e27e991bf2dfa9a74b80cfa
Instruction Fuzzy Hash: 7941A0B261874A86EB209F52D4806B973E4FB84B80F584235EF4DE3B51CF3CE5998744

Function 00007FF6570F69B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F6A98

Strings

Failed to open policy key: %ls, name: %ls, xrefs: 00007FF6570F6A5E
Failed to open policy key: %ls, xrefs: 00007FF6570F69EE
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00007FF6570F6A0E, 00007FF6570F6A6F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
API String ID: 3535843008-3938230626
Opcode ID: 87bb9714ae569741a161d9f99453a3141c6ece71bdde9f44eee302eefaf74637
Instruction ID: 34c4e8af09b6eb44c3aa0bf067c0a98115f5e7d8b052c457666f540b7381dd4b
Opcode Fuzzy Hash: 87bb9714ae569741a161d9f99453a3141c6ece71bdde9f44eee302eefaf74637
Instruction Fuzzy Hash: C9319EB271974A86EB219F51E4806B973A0FF84B90F5C8235DA4DE3B50DF3CE9598B04

Function 00007FF6570F35EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF6570F363F
GetLastError.KERNEL32 ref: 00007FF6570F3649

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F3674, 00007FF6570F3697
Failed to write data to file handle., xrefs: 00007FF6570F368B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: Failed to write data to file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 442123175-1082378667
Opcode ID: d407306c0fdceb1b3a9534ce4aa4d1dbd145b762a14b25958bfaf9da883fd8e2
Instruction ID: f933c8deae2897ce9b25985878e277dd02494f5866507c3723add79c2bb25d03
Opcode Fuzzy Hash: d407306c0fdceb1b3a9534ce4aa4d1dbd145b762a14b25958bfaf9da883fd8e2
Instruction Fuzzy Hash: 5221CF72B08B9982E7208F5AE840269A7E0FB84BB0F494235DE4CD7754DF3CE549CB04

Function 00007FF6570F2E84 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE ref: 00007FF6570F2E98
GetLastError.KERNEL32 ref: 00007FF6570F2EA2

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F2ECC, 00007FF6570F2EEA
Failed to set file pointer., xrefs: 00007FF6570F2EDE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to set file pointer.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 2976181284-4026511950
Opcode ID: 9c56ff33643dbda1b4ee31b5768f95f131e0a70ca5b467b0d3bb42afc0c88646
Instruction ID: 2f9cef49d8027760f46b999568d5b27c510db94543ec447119db99ddf75cdfab
Opcode Fuzzy Hash: 9c56ff33643dbda1b4ee31b5768f95f131e0a70ca5b467b0d3bb42afc0c88646
Instruction Fuzzy Hash: A301B972B1C74586E7108B15E99057A73E0AF447A0F5C013ADE4ED3765DE3CD959C704

Function 00007FF6570D3C5C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6570D3C6B

Part of subcall function 00007FF6570D3FA4: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6570D3FC6

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6570D3C80
__scrt_release_startup_lock.LIBCMT ref: 00007FF6570D3CEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6570D3D41

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: 27b8dab774c2d9bab2e773a9f7d5706ea40abbe41812c2071e251beafb35e4d2
Instruction ID: 1db41339cb3f2dffb0e0bd9aacb4861d1b89e558e2b30c8cad424411af98493e
Opcode Fuzzy Hash: 27b8dab774c2d9bab2e773a9f7d5706ea40abbe41812c2071e251beafb35e4d2
Instruction Fuzzy Hash: 853139A1E0D34F85FB64AB65A4653B962D1AF41744F4C4038E94EFB2D7DE2CA40DCB48

Function 00007FF6570EA674 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

Strings

Failed to open registry key, root: %x, subkey: %ls., xrefs: 00007FF6570EA708
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EA6F7, 00007FF6570EA71F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Open
String ID: Failed to open registry key, root: %x, subkey: %ls.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 71445658-2584571730
Opcode ID: 965dfb476a08b0058f714feff75aa3df8aa7835b1a35abdcb0ef4915d9edd745
Instruction ID: c28143e53b337513101eb821bd4699b83e3bd78e6c1f45ec6dac8a6a29b10fde
Opcode Fuzzy Hash: 965dfb476a08b0058f714feff75aa3df8aa7835b1a35abdcb0ef4915d9edd745
Instruction Fuzzy Hash: 6E21F9B1B1875A82F7248716F88063A76D0FB88790F1C413AEE8DE3BA4DE3DD4458700

Function 00007FF6570DB72C Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6570DB728), ref: 00007FF6570DB73D
TerminateProcess.KERNEL32(?,?,?,00007FF6570DB728), ref: 00007FF6570DB748
ExitProcess.KERNEL32 ref: 00007FF6570DB757

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 118586e5da2c2c5df0f31c9d882adbc8871ef55a971431e94d8a96148af0b72d
Instruction ID: 51c183ab7b7d422c84504fa843daf40c833de094cdb51ba74d18785488085fa8
Opcode Fuzzy Hash: 118586e5da2c2c5df0f31c9d882adbc8871ef55a971431e94d8a96148af0b72d
Instruction Fuzzy Hash: 5ED092E8B0878E43EB58BB746C9A57812916F48B05F081438D80BE63A3DD6CB80D8308

Function 00007FF6570E9A7C Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,?,?,?,00000000,?,00007FF6570EADB9,?,?,?,?,PackageCache,WiX\Burn), ref: 00007FF6570E9B25

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a64a5ef4644afd26a39ffb46d3ae2a1aa7cbad339d34b15aea17090be9bbd9d2
Instruction ID: 32ce1dfa89fc441527d5868d666bef2c7b03f5b8ded580425bc7f69d4407f858
Opcode Fuzzy Hash: a64a5ef4644afd26a39ffb46d3ae2a1aa7cbad339d34b15aea17090be9bbd9d2
Instruction Fuzzy Hash: C531C172A08B4A82EB24CF19E58457AB2E5FBC8790F588135DE8DD3768DF3CD4458B00

Function 00007FF6570DB65D Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6570DB68B

Part of subcall function 00007FF6570DB784: GetModuleHandleExW.KERNEL32 ref: 00007FF6570DB7A9
Part of subcall function 00007FF6570DB784: GetProcAddress.KERNEL32 ref: 00007FF6570DB7BF
Part of subcall function 00007FF6570DB784: FreeLibrary.KERNEL32 ref: 00007FF6570DB7E6

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 6256f53ca04e45a470767ab099876bb17516bf02e3579ecd857cdc2fa85d8ce6
Instruction ID: c235f1cfa2638bf5ffc03afbea0ce890dffe7dd1aae1a3edeccaa3ce7f1e4260
Opcode Fuzzy Hash: 6256f53ca04e45a470767ab099876bb17516bf02e3579ecd857cdc2fa85d8ce6
Instruction Fuzzy Hash: F3216D72F047498AEB24AFA4C4407ED33E0EB44B18F580639D61C96AD5DF7CD549CB88

Function 00007FF6570E8A34 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570E7E94: CloseHandle.KERNELBASE(?,?,?,?,00007FF6570E8A3D,?,?,?,?,00007FF657089B13), ref: 00007FF6570E7EBD

DeleteCriticalSection.KERNEL32(?,?,?,?,00007FF657089B13), ref: 00007FF6570E8A4D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCriticalDeleteHandleSection
String ID:
API String ID: 1370521891-0
Opcode ID: 3972122421e57a6d6ed499a902b0d120fed6fd47b253657dadbc3f4465c40462
Instruction ID: 250c5a910c94bbd8c86cdc5d9fe97c4dfa1b8c4bd1dceeb053e4c1aa9fa37135
Opcode Fuzzy Hash: 3972122421e57a6d6ed499a902b0d120fed6fd47b253657dadbc3f4465c40462
Instruction Fuzzy Hash: 4B01F2A2E2EA0F8EFE68AB40E89433422A4BF54305F4D1679D81DF55E1CFBC78488240

Function 00007FF6570DE440 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6570DE46B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: fe93c9f3dae6367e2934335e3a96940a33db470144273d8a97dc67f1954e6c33
Instruction ID: b3d1c17247f90485350872e18d5fd4bff84d5c820d2fb045f3b7f95f5b1343ac
Opcode Fuzzy Hash: fe93c9f3dae6367e2934335e3a96940a33db470144273d8a97dc67f1954e6c33
Instruction Fuzzy Hash: AFE0ECE0D1D30F82FF58BB3044860B812D06F15314FAC0A35D46EE21D2EEBC714E5659

Function 00007FF6570DE884 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6570DE31A,?,?,?,00007FF6570DA7F5,?,?,?,?,00007FF657086E74), ref: 00007FF6570DE8D9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6816f070582a0aa4d523cefa68a651e2d594f7e8dc88d9f20504efd4beb997d1
Instruction ID: 4cb2627e8f36578c3db3eccd25cfab13c2f25128fb06bdddd08cf2ab573a30fb
Opcode Fuzzy Hash: 6816f070582a0aa4d523cefa68a651e2d594f7e8dc88d9f20504efd4beb997d1
Instruction Fuzzy Hash: 28F090D4F0978F81FF6567A199403B552D15F84B80F4C0430DD0EE63C2ED3CE5899228

Function 00007FF6570B6610 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF6570B666B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 65306c1bc02eaa31b320e4704995aa6286b217acbabccfd50aa651c1b362c6af
Instruction ID: 806001d25427fea1f7d80bf7bcc9f62c2b23cfb6f0c184320b49f6c91c1999d4
Opcode Fuzzy Hash: 65306c1bc02eaa31b320e4704995aa6286b217acbabccfd50aa651c1b362c6af
Instruction Fuzzy Hash: ACF044A1B15A4A82EB644F25D84172826E0FB5CB74F9D8331CA7DE33E0CE7CE5594700

Function 00007FF6570E7E94 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,00007FF6570E8A3D,?,?,?,?,00007FF657089B13), ref: 00007FF6570E7EBD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 351051fcdfc542b78d82e75e9d4a8f3ed6b9744f615abb6132e3ae73b979003e
Instruction ID: 40f046dcd88b20dfe8d2143098cc4b97ca165c83a86e8aad5326282b85d77c61
Opcode Fuzzy Hash: 351051fcdfc542b78d82e75e9d4a8f3ed6b9744f615abb6132e3ae73b979003e
Instruction Fuzzy Hash: A5F0F4A1E0990F89FE69EB65A8903343290AF44774F5D1335E83DF6AE1CF7CA8894250

Non-executed Functions

Function 00007FF6570AB24C Relevance: 256.9, APIs: 76, Strings: 70, Instructions: 1353stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570AB2D8
CompareStringW.KERNEL32 ref: 00007FF6570AB30B
CompareStringW.KERNEL32 ref: 00007FF6570AB33F
CompareStringW.KERNEL32 ref: 00007FF6570AB373
CompareStringW.KERNEL32 ref: 00007FF6570AB3A7
CompareStringW.KERNEL32 ref: 00007FF6570AB3DB
CompareStringW.KERNEL32 ref: 00007FF6570AB40F
CompareStringW.KERNEL32 ref: 00007FF6570AB443
CompareStringW.KERNEL32 ref: 00007FF6570AB477
CompareStringW.KERNEL32 ref: 00007FF6570AB4AB
CompareStringW.KERNEL32 ref: 00007FF6570AB4DF
CompareStringW.KERNEL32 ref: 00007FF6570AB57B
CompareStringW.KERNEL32 ref: 00007FF6570AB637
CompareStringW.KERNEL32 ref: 00007FF6570AB67E
CompareStringW.KERNEL32 ref: 00007FF6570AB6C5
CompareStringW.KERNEL32 ref: 00007FF6570AB70C
CompareStringW.KERNEL32 ref: 00007FF6570AB753
CompareStringW.KERNEL32 ref: 00007FF6570AB787
CompareStringW.KERNEL32 ref: 00007FF6570AB7BB
CompareStringW.KERNEL32 ref: 00007FF6570AB7F6
CompareStringW.KERNEL32 ref: 00007FF6570AB83B
CompareStringW.KERNEL32 ref: 00007FF6570AB874
CompareStringW.KERNEL32 ref: 00007FF6570AB8E5
CompareStringW.KERNEL32 ref: 00007FF6570AB956
CompareStringW.KERNEL32 ref: 00007FF6570AB9B6
lstrlenW.KERNEL32 ref: 00007FF6570ABA04
CompareStringW.KERNEL32 ref: 00007FF6570ABA2D
lstrlenW.KERNEL32 ref: 00007FF6570ABA43
CompareStringW.KERNEL32 ref: 00007FF6570ABB23
lstrlenW.KERNEL32 ref: 00007FF6570ABC40
lstrlenW.KERNEL32 ref: 00007FF6570ABC4F
CompareStringW.KERNEL32 ref: 00007FF6570ABC7A
lstrlenW.KERNEL32 ref: 00007FF6570ABD0C
lstrlenW.KERNEL32 ref: 00007FF6570ABD88
lstrlenW.KERNEL32 ref: 00007FF6570ABD97
CompareStringW.KERNEL32 ref: 00007FF6570ABDC2
lstrlenW.KERNEL32 ref: 00007FF6570ABDD8
CompareStringW.KERNEL32 ref: 00007FF6570ABE79
CompareStringW.KERNEL32 ref: 00007FF6570ABF0A
CompareStringW.KERNEL32 ref: 00007FF6570ABF5B
CompareStringW.KERNEL32 ref: 00007FF6570ABF92
CompareStringW.KERNEL32 ref: 00007FF6570ABFD1
CompareStringW.KERNEL32 ref: 00007FF6570AC008
CompareStringW.KERNEL32 ref: 00007FF6570AC047
CompareStringW.KERNEL32 ref: 00007FF6570AC081
CompareStringW.KERNEL32 ref: 00007FF6570AC0BB
CompareStringW.KERNEL32 ref: 00007FF6570AC0F5
CompareStringW.KERNEL32 ref: 00007FF6570AC12D
lstrlenW.KERNEL32 ref: 00007FF6570AC191
lstrlenW.KERNEL32 ref: 00007FF6570AC1A0
CompareStringW.KERNEL32 ref: 00007FF6570AC1CB
lstrlenW.KERNEL32 ref: 00007FF6570AC1DD
lstrlenW.KERNEL32 ref: 00007FF6570AC243
lstrlenW.KERNEL32 ref: 00007FF6570AC252
CompareStringW.KERNEL32 ref: 00007FF6570AC27D
lstrlenW.KERNEL32 ref: 00007FF6570AC293
lstrlenW.KERNEL32 ref: 00007FF6570AC315
lstrlenW.KERNEL32 ref: 00007FF6570AC324
CompareStringW.KERNEL32 ref: 00007FF6570AC34F
lstrlenW.KERNEL32 ref: 00007FF6570AC361
lstrlenW.KERNEL32 ref: 00007FF6570AC3C2
lstrlenW.KERNEL32 ref: 00007FF6570AC3D1
CompareStringW.KERNEL32 ref: 00007FF6570AC3FA
lstrlenW.KERNEL32 ref: 00007FF6570AC40C
CompareStringW.KERNEL32 ref: 00007FF6570AC6C2

Strings

Must specify the embedded name, token and parent process id., xrefs: 00007FF6570AC8C2
burn.related.addon, xrefs: 00007FF6570ABF71
Failed to parse elevated connection., xrefs: 00007FF6570ABBFE
Clean room command-line switch must be first argument on command-line., xrefs: 00007FF6570ABC8E
Must specify a path for original source., xrefs: 00007FF6570AC798
burn.filehandle.attached, xrefs: 00007FF6570AC3BB, 00007FF6570AC3C8, 00007FF6570AC3E7, 00007FF6570AC495
Failed to parse splash screen window: '%ls', xrefs: 00007FF6570AC5DE
Failed to ensure size for secret args., xrefs: 00007FF6570AC825
originalsource, xrefs: 00007FF6570AB853
W, xrefs: 00007FF6570AC161
burn.system.component, xrefs: 00007FF6570ABD81, 00007FF6570ABD8E, 00007FF6570ABDA8, 00007FF6570ABDD1
Failed to copy parent., xrefs: 00007FF6570AB920
update, xrefs: 00007FF6570AB766
burn.related.upgrade, xrefs: 00007FF6570ABF3A
Failed to copy append log file path., xrefs: 00007FF6570AC7ED
passive, xrefs: 00007FF6570AB4BE
Must specify the elevated name, token and parent process id., xrefs: 00007FF6570AC851
burn.ancestors, xrefs: 00007FF6570AC23C, 00007FF6570AC249, 00007FF6570AC263, 00007FF6570AC28C, 00007FF6570AC2E1
Failed to allocate the list of ancestors., xrefs: 00007FF6570AC2D0
help, xrefs: 00007FF6570AB3BA
Failed to copy log file path., xrefs: 00007FF6570AC708
burn.related.update, xrefs: 00007FF6570AC060
Failed to copy last used source., xrefs: 00007FF6570AB8AF
modify, xrefs: 00007FF6570AB6EB
noaupause, xrefs: 00007FF6570AB79A
burn.related.patch, xrefs: 00007FF6570ABFE7
quiet, xrefs: 00007FF6570AB422
Must specify a path for log., xrefs: 00007FF6570AC8E9
Missing required parameter for switch: %ls, xrefs: 00007FF6570ABACA, 00007FF6570AC2F4
burn.embedded, xrefs: 00007FF6570ABE58
burn.elevated, xrefs: 00007FF6570ABB02
disablesystemrestore, xrefs: 00007FF6570AB81A
burn.log.mode, xrefs: 00007FF6570AB9FD, 00007FF6570ABA18, 00007FF6570ABA3C, 00007FF6570ABA6C, 00007FF6570ABAB4
burn.runonce, xrefs: 00007FF6570AC10C
Failed to allocate the list of dependencies to ignore., xrefs: 00007FF6570AC21A
uninstall, xrefs: 00007FF6570AB65D
Failed to parse embedded connection., xrefs: 00007FF6570ABED4
parent, xrefs: 00007FF6570AB8C4
Failed to store the custom working directory., xrefs: 00007FF6570AC3AA
package, xrefs: 00007FF6570AB732
Invalid switch: %ls, xrefs: 00007FF6570ABD3A, 00007FF6570ABE04
burn.related.dependent.patch, xrefs: 00007FF6570AC026
burn.related.chain.package, xrefs: 00007FF6570AC09A
burn.splash.screen, xrefs: 00007FF6570AC556, 00007FF6570AC563, 00007FF6570AC582, 00007FF6570AC5FD
Must specify a value for parent., xrefs: 00007FF6570AC7E4
Failed to initialize parent to none., xrefs: 00007FF6570AB980
keepaupaused, xrefs: 00007FF6570AB7D5
silent, xrefs: 00007FF6570AB48A
repair, xrefs: 00007FF6570AB6A4
burn., xrefs: 00007FF6570AC60E, 00007FF6570AC61B, 00007FF6570AC635
Failed to copy source process path., xrefs: 00007FF6570ABD70
Failed to parse file handle: '%ls', xrefs: 00007FF6570AC44C
burn.clean.room, xrefs: 00007FF6570ABC39, 00007FF6570ABC46, 00007FF6570ABC60, 00007FF6570ABD05
burn.related.detect, xrefs: 00007FF6570ABEE9
Failed to ensure size for unknown args., xrefs: 00007FF6570AC8F5
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570AB5EF, 00007FF6570ABAE4, 00007FF6570ABB6E, 00007FF6570ABC0F, 00007FF6570ABCB1, 00007FF6570ABCE2, 00007FF6570ABE16, 00007FF6570AC169, 00007FF6570AC458, 00007FF6570AC719, 00007FF6570AC782, 00007FF6570AC7A4, 00007FF6570AC7CE, 00007FF6570AC803, 00007FF6570AC83B, 00007FF6570AC862, 00007FF6570AC88A, 00007FF6570AC8AC, 00007FF6570AC8D3
burn.passthrough, xrefs: 00007FF6570AC0D4
burn.filehandle.self, xrefs: 00007FF6570AC4A6, 00007FF6570AC4B3, 00007FF6570AC4D2, 00007FF6570AC545
burn.related.dependent.addon, xrefs: 00007FF6570ABFB0
burn.engine.working.directory, xrefs: 00007FF6570AC30E, 00007FF6570AC31B, 00007FF6570AC335, 00007FF6570AC35A
burn.log.append, xrefs: 00007FF6570AB995
parent:none, xrefs: 00007FF6570AB935
Failed to copy path for layout directory., xrefs: 00007FF6570AB5DE
unsafeuninstall, xrefs: 00007FF6570AB616
Multiple mode command-line switches were provided., xrefs: 00007FF6570ABB4B, 00007FF6570ABCD1, 00007FF6570AC146, 00007FF6570AC878
layout, xrefs: 00007FF6570AB55A
Must specify a path for append log., xrefs: 00007FF6570AC819
burn.ignoredependencies, xrefs: 00007FF6570AC18A, 00007FF6570AC197, 00007FF6570AC1B1, 00007FF6570AC1D6, 00007FF6570AC22B
log, xrefs: 00007FF6570AB2EB
xlog, xrefs: 00007FF6570AB31E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: Clean room command-line switch must be first argument on command-line.$Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to copy append log file path.$Failed to copy last used source.$Failed to copy log file path.$Failed to copy parent.$Failed to copy path for layout directory.$Failed to copy source process path.$Failed to ensure size for secret args.$Failed to ensure size for unknown args.$Failed to initialize parent to none.$Failed to parse elevated connection.$Failed to parse embedded connection.$Failed to parse file handle: '%ls'$Failed to parse splash screen window: '%ls'$Failed to store the custom working directory.$Invalid switch: %ls$Missing required parameter for switch: %ls$Multiple mode command-line switches were provided.$Must specify a path for append log.$Must specify a path for log.$Must specify a path for original source.$Must specify a value for parent.$Must specify the elevated name, token and parent process id.$Must specify the embedded name, token and parent process id.$W$burn.$burn.ancestors$burn.clean.room$burn.elevated$burn.embedded$burn.engine.working.directory$burn.filehandle.attached$burn.filehandle.self$burn.ignoredependencies$burn.log.append$burn.log.mode$burn.passthrough$burn.related.addon$burn.related.chain.package$burn.related.dependent.addon$burn.related.dependent.patch$burn.related.detect$burn.related.patch$burn.related.update$burn.related.upgrade$burn.runonce$burn.splash.screen$burn.system.component$d:\a\wix4\wix4\src\burn\engine\core.cpp$disablesystemrestore$help$keepaupaused$layout$log$modify$noaupause$originalsource$package$parent$parent:none$passive$quiet$repair$silent$uninstall$unsafeuninstall$update$xlog
API String ID: 1657112622-2303107143
Opcode ID: fc14395ed4ec41f42face3e38396021dc52055173c1501288e88ed037f15334a
Instruction ID: 8dd5bb84af7b1a9eee855fac9f0d63fc2f64ba01511e6193dd82fce35b2b4383
Opcode Fuzzy Hash: fc14395ed4ec41f42face3e38396021dc52055173c1501288e88ed037f15334a
Instruction Fuzzy Hash: C1D2A1B2E08A4A86EB309F15E8406BA33E5FB98754F59023AD54DE77A4DF3CE548C704

Function 00007FF6570947F8 Relevance: 179.6, APIs: 35, Strings: 67, Instructions: 1058COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF657095503

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

CompareStringW.KERNEL32 ref: 00007FF6570949E7
CompareStringW.KERNEL32 ref: 00007FF657094A70
CompareStringW.KERNEL32 ref: 00007FF657094AA1
CompareStringW.KERNEL32 ref: 00007FF657094AD6
CompareStringW.KERNEL32 ref: 00007FF657094B84
CompareStringW.KERNEL32 ref: 00007FF657094BBC
CompareStringW.KERNEL32 ref: 00007FF657094BEB
CompareStringW.KERNEL32 ref: 00007FF657094C21
CompareStringW.KERNEL32 ref: 00007FF657094C7E
CompareStringW.KERNEL32 ref: 00007FF657094DF6
CompareStringW.KERNEL32 ref: 00007FF657094E26

Part of subcall function 00007FF6570EE988: VariantInit.OLEAUT32 ref: 00007FF6570EE9B6
Part of subcall function 00007FF6570EE988: VariantClear.OLEAUT32 ref: 00007FF6570EEB19
Part of subcall function 00007FF6570EE988: SysFreeString.OLEAUT32 ref: 00007FF6570EEB27

SysFreeString.OLEAUT32 ref: 00007FF6570954B4

Strings

Root, xrefs: 00007FF657094C3E
HKLM, xrefs: 00007FF657094CCB
language, xrefs: 00007FF6570951C9
ProductCode, xrefs: 00007FF657094F99, 00007FF6570950D9
RegistrySearch, xrefs: 00007FF657094C08
Failed to get @UpgradeCode., xrefs: 00007FF657095814
state, xrefs: 00007FF657095045, 00007FF6570951F4
Failed to get Value attribute., xrefs: 00007FF6570956C5
MsiComponentSearch, xrefs: 00007FF657094F63
Failed to get search node count., xrefs: 00007FF6570948B2
Failed to get @ExtensionId., xrefs: 00007FF657095840
value, xrefs: 00007FF657094E0D
Variable, xrefs: 00007FF65709497B
string, xrefs: 00007FF657094EF9, 00007FF65709542C
Failed to get @Id., xrefs: 00007FF657095912
DirectorySearch, xrefs: 00007FF6570949CE
Failed to get @Condition., xrefs: 00007FF6570958D4
assignment, xrefs: 00007FF65709521F
FileSearch, xrefs: 00007FF657094ABD
numeric, xrefs: 00007FF657094ECA, 00007FF657095400
Failed to get @ExpandEnvironment., xrefs: 00007FF65709566C
ExtensionSearch, xrefs: 00007FF657095256
Condition, xrefs: 00007FF6570949A4
version, xrefs: 00007FF657094BA3, 00007FF657094F2C, 00007FF657095196, 00007FF65709545C
Failed to select search nodes., xrefs: 00007FF657094856
Failed to get @Value., xrefs: 00007FF657095877
Failed to get Win64 attribute., xrefs: 00007FF657095699
Failed to get Key attribute., xrefs: 00007FF6570956E7
Failed to get @Variable., xrefs: 00007FF6570958F3
path, xrefs: 00007FF657094A88, 00007FF657094BD2
UpgradeCode, xrefs: 00007FF657095123
formatted, xrefs: 00007FF657094E92, 00007FF6570953C8
DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch|ExtensionSearch|SetVariable, xrefs: 00007FF657094834
Invalid value for @VariableType: %ls, xrefs: 00007FF657095628
keyPath, xrefs: 00007FF657095015
VariableType, xrefs: 00007FF657094E6D
Failed to get @ProductCode., xrefs: 00007FF657095796
Failed to get @Root., xrefs: 00007FF65709573D
Type, xrefs: 00007FF657094A32, 00007FF657094B46, 00007FF657094D8A, 00007FF657094FF0, 00007FF657095171, 00007FF65709539A
directory, xrefs: 00007FF657095070
ExtensionId, xrefs: 00007FF65709528C
Failed to get @ProductCode or @UpgradeCode., xrefs: 00007FF6570957D2
MsiProductSearch, xrefs: 00007FF6570950A7
ComponentId, xrefs: 00007FF657094FC7
exists, xrefs: 00007FF657094A57, 00007FF657094B6B, 00007FF657094DDD
Failed to get next node., xrefs: 00007FF657095921
ExpandEnvironment, xrefs: 00007FF657094E3F
Failed to get @Type., xrefs: 00007FF6570955A2
Unexpected element name: %ls, xrefs: 00007FF6570958A9
SetVariable, xrefs: 00007FF65709531F
Failed to get @Path., xrefs: 00007FF6570955C4
DisableFileRedirection, xrefs: 00007FF657094B18
Invalid value for @Type: %ls, xrefs: 00007FF65709555F
Failed to allocate memory for search structs., xrefs: 00007FF657094901
Value, xrefs: 00007FF657094D5C, 00007FF657095355
Failed to get @VariableType., xrefs: 00007FF65709564A
HKCR, xrefs: 00007FF657094C63
Win64, xrefs: 00007FF657094DB3
Key, xrefs: 00007FF657094D33
Failed to get @ComponentId., xrefs: 00007FF657095774
Path, xrefs: 00007FF657094A09, 00007FF657094AEF
Failed to get DisableFileRedirection attribute., xrefs: 00007FF6570955ED
HKU, xrefs: 00007FF657094CFC
Failed to find extension '%ls' for search '%ls', xrefs: 00007FF657095301
Invalid value for @Root: %ls, xrefs: 00007FF65709571B
HKCU, xrefs: 00007FF657094C9A
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF657094866, 00007FF6570948A1, 00007FF6570948F3, 00007FF6570952CD, 00007FF6570952EB, 00007FF657095542, 00007FF657095575, 00007FF657095594, 00007FF6570955B6, 00007FF6570955DC, 00007FF657095605, 00007FF657095639, 00007FF65709565B, 00007FF657095688, 00007FF6570956B4, 00007FF6570956D6, 00007FF6570956F8, 00007FF65709572C, 00007FF657095763, 00007FF657095788, 00007FF6570957BC, 00007FF6570957EB, 00007FF657095803, 00007FF65709582F, 00007FF657095866, 00007FF657095888, 00007FF6570958C3, 00007FF6570958E2, 00007FF657095901

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$Compare$Free$Variant$ClearHeapInitProcess
String ID: ComponentId$Condition$DirectorySearch$DirectorySearch|FileSearch|RegistrySearch|MsiComponentSearch|MsiProductSearch|MsiFeatureSearch|ExtensionSearch|SetVariable$DisableFileRedirection$ExpandEnvironment$ExtensionId$ExtensionSearch$Failed to allocate memory for search structs.$Failed to find extension '%ls' for search '%ls'$Failed to get @ComponentId.$Failed to get @Condition.$Failed to get @ExpandEnvironment.$Failed to get @ExtensionId.$Failed to get @Id.$Failed to get @Path.$Failed to get @ProductCode or @UpgradeCode.$Failed to get @ProductCode.$Failed to get @Root.$Failed to get @Type.$Failed to get @UpgradeCode.$Failed to get @Value.$Failed to get @Variable.$Failed to get @VariableType.$Failed to get DisableFileRedirection attribute.$Failed to get Key attribute.$Failed to get Value attribute.$Failed to get Win64 attribute.$Failed to get next node.$Failed to get search node count.$Failed to select search nodes.$FileSearch$HKCR$HKCU$HKLM$HKU$Invalid value for @Root: %ls$Invalid value for @Type: %ls$Invalid value for @VariableType: %ls$Key$MsiComponentSearch$MsiProductSearch$Path$ProductCode$RegistrySearch$Root$SetVariable$Type$Unexpected element name: %ls$UpgradeCode$Value$Variable$VariableType$Win64$assignment$d:\a\wix4\wix4\src\burn\engine\search.cpp$directory$exists$formatted$keyPath$language$numeric$path$state$string$value$version
API String ID: 1017089093-2296787432
Opcode ID: 3dc0c97224cfa6b013c6ae1c2adfff102b22e6d3ed1add2691bcae90f4445704
Instruction ID: 91f7d5a73824cdcd45d76043f06ca19f0947649ccd5eec3e4a262b543914362e
Opcode Fuzzy Hash: 3dc0c97224cfa6b013c6ae1c2adfff102b22e6d3ed1add2691bcae90f4445704
Instruction Fuzzy Hash: 52B28FB1B08A4B96EB208F62D8805AD27E0FB58758F58013ADA0DF76A4DF7CE558C344

Function 00007FF65709C5C8 Relevance: 112.7, APIs: 3, Strings: 61, Instructions: 681COMMON

Download Yara Rule

Strings

Failed to parse related bundles, xrefs: 00007FF65709C718
ParentDisplayName, xrefs: 00007FF65709CB60
DisableModify, xrefs: 00007FF65709CC3E
Failed to select registration node., xrefs: 00007FF65709C640
Registration, xrefs: 00007FF65709C5FF
Manufacturer, xrefs: 00007FF65709CE51
Failed to get @Tag., xrefs: 00007FF65709C6C5
Publisher, xrefs: 00007FF65709C9E9
Failed to get @Contact., xrefs: 00007FF65709CC2A
DisableRemove, xrefs: 00007FF65709CD61
Failed to parse software tag., xrefs: 00007FF65709CDD4
Version, xrefs: 00007FF65709C731
PerMachine, xrefs: 00007FF65709C864
Failed to get @DisplayName., xrefs: 00007FF65709C93C
Failed to get @DisableModify., xrefs: 00007FF65709CC7D
Name, xrefs: 00007FF65709CF2D
Comments, xrefs: 00007FF65709CBAB
DisplayName, xrefs: 00007FF65709C908
Failed to get @Id., xrefs: 00007FF65709C685
ExecutableName, xrefs: 00007FF65709C825
Failed to get @Manufacturer., xrefs: 00007FF65709CE80
Failed to get @PerMachine., xrefs: 00007FF65709C896
Failed to select ARP node., xrefs: 00007FF65709C8E9
Tag, xrefs: 00007FF65709C696
Failed to set registration paths., xrefs: 00007FF65709CFBF
Failed to get @UpdateUrl., xrefs: 00007FF65709CB49
Failed to get @ProductFamily., xrefs: 00007FF65709CF16
InProgressDisplayName, xrefs: 00007FF65709C953
Invalid modify disabled type: %ls, xrefs: 00007FF65709CD43
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709C62F, 00007FF65709C674, 00007FF65709C6B4, 00007FF65709C74F, 00007FF65709C79E, 00007FF65709C800, 00007FF65709C843, 00007FF65709C885, 00007FF65709C8D8, 00007FF65709C92B, 00007FF65709C976, 00007FF65709C9C1, 00007FF65709CA0C, 00007FF65709CA57, 00007FF65709CAA2, 00007FF65709CAED, 00007FF65709CB38, 00007FF65709CB83, 00007FF65709CBCE, 00007FF65709CC19, 00007FF65709CC6C, 00007FF65709CD22, 00007FF65709CD84, 00007FF65709CE21, 00007FF65709CE6F, 00007FF65709CEBA, 00007FF65709CF05, 00007FF65709CF4B, 00007FF65709CF91, 00007FF65709CFD0
HelpTelephone, xrefs: 00007FF65709CA7F
HelpLink, xrefs: 00007FF65709CA34
Failed to select Update node., xrefs: 00007FF65709CE32
Contact, xrefs: 00007FF65709CBF6
Classification, xrefs: 00007FF65709CF73
Failed to get @DisableRemove., xrefs: 00007FF65709CD95
Failed to get @ExecutableName., xrefs: 00007FF65709C854
Failed to get @Version., xrefs: 00007FF65709C760
Failed to get @DisplayVersion., xrefs: 00007FF65709C9D2
Failed to get @Name., xrefs: 00007FF65709CF5C
Failed to get @Classification., xrefs: 00007FF65709CFA2
Failed to get @AboutUrl., xrefs: 00007FF65709CAFE
Failed to get @HelpTelephone., xrefs: 00007FF65709CAB3
Failed to get @InProgressDisplayName., xrefs: 00007FF65709C987
yes, xrefs: 00007FF65709CCCC
Failed to get @ProviderKey., xrefs: 00007FF65709C811
Department, xrefs: 00007FF65709CE97
ProviderKey, xrefs: 00007FF65709C7E2
ProductFamily, xrefs: 00007FF65709CEE2
Update, xrefs: 00007FF65709CDED
Arp, xrefs: 00007FF65709C8AA
AboutUrl, xrefs: 00007FF65709CACA
Failed to get @Department., xrefs: 00007FF65709CECB
Failed to get @Comments., xrefs: 00007FF65709CBDF
UpdateUrl, xrefs: 00007FF65709CB15
Failed to get @Publisher., xrefs: 00007FF65709CA1D
Failed to get @HelpLink., xrefs: 00007FF65709CA68
Failed to parse @Version: %ls, xrefs: 00007FF65709C792
DisplayVersion, xrefs: 00007FF65709C99E
Failed to get @ParentDisplayName., xrefs: 00007FF65709CB94
button, xrefs: 00007FF65709CC95

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @InProgressDisplayName.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$InProgressDisplayName$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Registration$Tag$Update$UpdateUrl$Version$button$d:\a\wix4\wix4\src\burn\engine\registration.cpp$yes
API String ID: 760788290-4015652564
Opcode ID: 1170f1058f20d4f206ea7fa92fd00be57f01d0b6b6755a7fd3302ca0ccbf4cef
Instruction ID: e3c139268c69f0b9743e154025f6e5babb89c886fe72c8caeb69b610dabd3e5e
Opcode Fuzzy Hash: 1170f1058f20d4f206ea7fa92fd00be57f01d0b6b6755a7fd3302ca0ccbf4cef
Instruction Fuzzy Hash: 40626BA1F0860B96FB249B75C4902BA63A1BF64354F9C0436DA0EE76A1DF7CE95DC340

Function 00007FF6570B93B4 Relevance: 102.2, APIs: 2, Strings: 56, Instructions: 731COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF6570B9F27

Part of subcall function 00007FF6570B9224: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00007FF6570B9567), ref: 00007FF6570B9392

Strings

Failed to get cached path for related bundle: %ls, xrefs: 00007FF6570B9508
Failed to evaluate bundle package command-line condition., xrefs: 00007FF6570B9986
Failed to append quiet argument., xrefs: 00007FF6570B9A1D
Related bundles must have a fully qualified target path., xrefs: 00007FF6570B948D
Failed to format argument string., xrefs: 00007FF6570B9CAE
burn.system.component, xrefs: 00007FF6570B9B33
Failed to run BUNDLE process, xrefs: 00007FF6570B9E16
-%ls=ALL, xrefs: 00007FF6570B9B77
Failed to get parent directory for QuietUninstallString executable path: %ls, xrefs: 00007FF6570B9705
Failed to build executable path., xrefs: 00007FF6570B94D5, 00007FF6570B975D
Failed to copy package arguments., xrefs: 00007FF6570B9823
Failed to append argument from ARP., xrefs: 00007FF6570B9A2E
Failed to append operation argument., xrefs: 00007FF6570B9A89
Failed to get command-line argument for uninstall., xrefs: 00007FF6570B9975
burn.ancestors, xrefs: 00007FF6570B9BE6
Failed to query ARP for uninstall., xrefs: 00007FF6570B956D
Failed to get cached path for package: %ls, xrefs: 00007FF6570B9737
The only supported action when the cache is not available is UNINSTALL., xrefs: 00007FF6570B9540
Failed to get command-line argument for install., xrefs: 00007FF6570B9901
Failed to allocate obfuscated bundle command., xrefs: 00007FF6570B9D27
-repair, xrefs: 00007FF6570B97E6
Failed to append the parent to the command line., xrefs: 00007FF6570B9B1A
Failed to run bundle as embedded from path: %ls, xrefs: 00007FF6570B9DCE
QuietUninstallString must contain an executable path., xrefs: 00007FF6570B9651
Failed to format obfuscated argument string., xrefs: 00007FF6570B9CFA
WixBundleExecutePackageCacheFolder, xrefs: 00007FF6570B9772, 00007FF6570B9F3F
Invalid Bundle package action: %d., xrefs: 00007FF6570B97C3, 00007FF6570B9959
Failed to append the list of dependencies to ignore to the command line., xrefs: 00007FF6570B9B8E, 00007FF6570B9BC9
Failed to allocate base command., xrefs: 00007FF6570B99B3
Failed to append disable system restore., xrefs: 00007FF6570B9A59
parent, xrefs: 00007FF6570B9AD6
-disablesystemrestore, xrefs: 00007FF6570B9A42
-%ls=%ls, xrefs: 00007FF6570B9BB2, 00007FF6570B9BED
-%ls, xrefs: 00007FF6570B9AA2, 00007FF6570B9ADD, 00007FF6570B9B3D
-quiet, xrefs: 00007FF6570B9A06
%ls %ls, xrefs: 00007FF6570B9D0C
Process returned error: 0x%x, xrefs: 00007FF6570B9E73
-uninstall, xrefs: 00007FF6570B97FF
Failed to append the parent switch to the command line., xrefs: 00007FF6570B9AF4
WixBundleExecutePackageAction, xrefs: 00007FF6570B9792, 00007FF6570B9F5B
Failed to separate command-line arguments., xrefs: 00007FF6570B993E
Failed to verify the QuietUninstallString executable path is in a secure location: %ls, xrefs: 00007FF6570B96B3
burn.filehandle.self, xrefs: 00007FF6570B9C61
%ls, xrefs: 00007FF6570B9A72
Failed to get command-line argument for repair., xrefs: 00007FF6570B98DA
"%ls", xrefs: 00007FF6570B999C
Failed to copy executable path., xrefs: 00007FF6570B9677
Failed to parse QuietUninstallString: %ls., xrefs: 00007FF6570B9622
d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp, xrefs: 00007FF6570B9477, 00007FF6570B94A5, 00007FF6570B9528, 00007FF6570B95DC, 00007FF6570B9639, 00007FF6570B9CBF, 00007FF6570B9E58, 00007FF6570B9E89
Failed to append relation type argument., xrefs: 00007FF6570B9AB9
QuietUninstallString is null., xrefs: 00007FF6570B95F4
burn.ignoredependencies, xrefs: 00007FF6570B9B70, 00007FF6570B9BAB
Failed to append the custom working directory to the bundlepackage command line., xrefs: 00007FF6570B9C34
The QuietUninstallString executable path is not in a secure location: %ls, xrefs: 00007FF6570B96C9
Failed to append the list of ancestors to the command line., xrefs: 00007FF6570B9C04
Failed to append %ls, xrefs: 00007FF6570B9B59, 00007FF6570B9C72

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$Handle
String ID: %ls$ -%ls$ -%ls=%ls$ -%ls=ALL$ -disablesystemrestore$ -quiet$"%ls"$%ls %ls$-repair$-uninstall$Failed to allocate base command.$Failed to allocate obfuscated bundle command.$Failed to append %ls$Failed to append argument from ARP.$Failed to append disable system restore.$Failed to append operation argument.$Failed to append quiet argument.$Failed to append relation type argument.$Failed to append the custom working directory to the bundlepackage command line.$Failed to append the list of ancestors to the command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the parent switch to the command line.$Failed to append the parent to the command line.$Failed to build executable path.$Failed to copy executable path.$Failed to copy package arguments.$Failed to evaluate bundle package command-line condition.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get cached path for package: %ls$Failed to get cached path for related bundle: %ls$Failed to get command-line argument for install.$Failed to get command-line argument for repair.$Failed to get command-line argument for uninstall.$Failed to get parent directory for QuietUninstallString executable path: %ls$Failed to parse QuietUninstallString: %ls.$Failed to query ARP for uninstall.$Failed to run BUNDLE process$Failed to run bundle as embedded from path: %ls$Failed to separate command-line arguments.$Failed to verify the QuietUninstallString executable path is in a secure location: %ls$Invalid Bundle package action: %d.$Process returned error: 0x%x$QuietUninstallString is null.$QuietUninstallString must contain an executable path.$Related bundles must have a fully qualified target path.$The QuietUninstallString executable path is not in a secure location: %ls$The only supported action when the cache is not available is UNINSTALL.$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$burn.ancestors$burn.filehandle.self$burn.ignoredependencies$burn.system.component$d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp$parent
API String ID: 187904097-2509892201
Opcode ID: 43d4a0b7ae3e3ab29b15711caacff0180075177611a256c967ea91f13d3bb872
Instruction ID: a3ebf3d7c8d305c4611d29b1095ac2aa8094d3b1237e6b977b512ca730d9593a
Opcode Fuzzy Hash: 43d4a0b7ae3e3ab29b15711caacff0180075177611a256c967ea91f13d3bb872
Instruction Fuzzy Hash: EB728EA2B1CA4BC6EF208B65D4542BE63E5EB84394F580136DA4DE7799DF3CF6098700

Function 00007FF657092284 Relevance: 79.4, APIs: 2, Strings: 43, Instructions: 614COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EE988: VariantInit.OLEAUT32 ref: 00007FF6570EE9B6
Part of subcall function 00007FF6570EE988: VariantClear.OLEAUT32 ref: 00007FF6570EEB19
Part of subcall function 00007FF6570EE988: SysFreeString.OLEAUT32 ref: 00007FF6570EEB27

CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570991FF), ref: 00007FF6570924D2
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570991FF), ref: 00007FF6570924FE

Strings

embedded, xrefs: 00007FF6570924B7
Failed to select payload nodes., xrefs: 00007FF6570922F1
FileSize, xrefs: 00007FF6570925D6
Packaging, xrefs: 00007FF657092490
Failed to find container: %ls, xrefs: 00007FF65709287A
Failed to get @CertificateRootThumbprint., xrefs: 00007FF657092988
Failed to get @Hash., xrefs: 00007FF657092964
Failed to get @Container., xrefs: 00007FF657092A6F
Hash, xrefs: 00007FF6570926E4
File size is required when verifying by hash for payload: %ls, xrefs: 00007FF6570928EF
Failed to allocate memory for layout payloads., xrefs: 00007FF6570928FE
Failed to get @FileSize., xrefs: 00007FF6570929C6
Failed to create dictionary for payloads., xrefs: 00007FF6570923AB
Failed to hex decode the Payload/@Hash., xrefs: 00007FF6570928B9
Container, xrefs: 00007FF657092518
LayoutOnly, xrefs: 00007FF65709257E
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00007FF657092897
Invalid value for @Packaging: %ls, xrefs: 00007FF657092AA1
Failed to get @DownloadUrl., xrefs: 00007FF6570929E5
Failed to get next node., xrefs: 00007FF657092B53
DownloadUrl, xrefs: 00007FF6570925AA
Failed to hex decode @CertificateRootThumbprint., xrefs: 00007FF6570928A8
There was no verification information for payload: %ls, xrefs: 00007FF657092945
Failed to get @Id., xrefs: 00007FF657092B47
Failed to create dictionary for container payloads., xrefs: 00007FF657092B61
Failed to get @Packaging., xrefs: 00007FF657092AE1
d:\a\wix4\wix4\src\burn\engine\payload.cpp, xrefs: 00007FF65709235F, 00007FF6570928CF, 00007FF657092925, 00007FF657092953, 00007FF657092977, 00007FF657092996, 00007FF6570929B5, 00007FF6570929D4, 00007FF6570929F6, 00007FF657092A18, 00007FF657092A3B, 00007FF657092A5E, 00007FF657092A80, 00007FF657092AAD, 00007FF657092AD0, 00007FF657092AF2, 00007FF657092B14, 00007FF657092B36, 00007FF657092B83
CertificateRootThumbprint, xrefs: 00007FF65709268E
CertificateRootPublicKeyIdentifier, xrefs: 00007FF657092631
SourcePath, xrefs: 00007FF657092454
Failed to add payload to container dictionary., xrefs: 00007FF657092B6F
FilePath, xrefs: 00007FF65709242B
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00007FF6570929A7
Failed to parse @FileSize., xrefs: 00007FF657092886
Failed to get @LayoutOnly., xrefs: 00007FF657092A07
@Container is required for embedded payload., xrefs: 00007FF657092A29
Failed to allocate memory for payload structs., xrefs: 00007FF65709236D
Failed to get payload node count., xrefs: 00007FF657092323
Failed to get @FilePath., xrefs: 00007FF657092B25
Failed to get @SourcePath., xrefs: 00007FF657092B03
Failed to add payload to payloads dictionary., xrefs: 00007FF65709290F
external, xrefs: 00007FF6570924E6
Payload, xrefs: 00007FF6570922DF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$CompareVariant$ClearFreeInit
String ID: @Container is required for embedded payload.$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to add payload to container dictionary.$Failed to add payload to payloads dictionary.$Failed to allocate memory for layout payloads.$Failed to allocate memory for payload structs.$Failed to create dictionary for container payloads.$Failed to create dictionary for payloads.$Failed to find container: %ls$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$File size is required when verifying by hash for payload: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$There was no verification information for payload: %ls$d:\a\wix4\wix4\src\burn\engine\payload.cpp$embedded$external
API String ID: 1311288327-2408702627
Opcode ID: 5fa59fbc48b2a1792706025eff86d56aed105aeda486125f440f35ba33919bd0
Instruction ID: 674ccb28b544078dae6e1414f735d151dde877addd2d1af05f67591dbc9d2c64
Opcode Fuzzy Hash: 5fa59fbc48b2a1792706025eff86d56aed105aeda486125f440f35ba33919bd0
Instruction Fuzzy Hash: 60426BA1B18B1BC6FB20CF66D480AB927E4AB58754F884036DA0DF77A5DE3CE549C740

Function 00007FF6570FA3AC Relevance: 70.4, APIs: 11, Strings: 29, Instructions: 423COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6570FAA01

Strings

Failed to process all ATOM entry elements., xrefs: 00007FF6570FA924
link, xrefs: 00007FF6570FA46B, 00007FF6570FA7B9
Failed to allocate ATOM entry title., xrefs: 00007FF6570FA5D8
Failed to parse ATOM entry content., xrefs: 00007FF6570FA79B
updated, xrefs: 00007FF6570FA64E
published, xrefs: 00007FF6570FA5F6
Failed to allocate ATOM entry published., xrefs: 00007FF6570FA630
author, xrefs: 00007FF6570FA3FD, 00007FF6570FA6A6
Failed to allocate ATOM entry content., xrefs: 00007FF6570FA897
Failed to parse ATOM entry link., xrefs: 00007FF6570FA8CD
Failed to find required feed/entry/title element., xrefs: 00007FF6570FA9AA
title, xrefs: 00007FF6570FA59E
Failed to parse unknown ATOM entry element: %ls, xrefs: 00007FF6570FA8FD
Failed to parse ATOM entry author., xrefs: 00007FF6570FA848
Failed to get child nodes of ATOM entry element., xrefs: 00007FF6570FA4B3
Failed to allocate ATOM entry categories., xrefs: 00007FF6570FA446
category, xrefs: 00007FF6570FA434, 00007FF6570FA6F7
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570FA881, 00007FF6570FA8EB, 00007FF6570FA968, 00007FF6570FA992, 00007FF6570FA9B8, 00007FF6570FA9E8
Failed to allocate ATOM entry links., xrefs: 00007FF6570FA47D
Cannot have two content elements in ATOM entry., xrefs: 00007FF6570FA8AE
Failed to allocate ATOM entry authors., xrefs: 00007FF6570FA40F
content, xrefs: 00007FF6570FA744
summary, xrefs: 00007FF6570FA546
Failed to find required feed/entry/id element., xrefs: 00007FF6570FA9D0
Failed to allocate ATOM entry summary., xrefs: 00007FF6570FA580
Failed to allocate ATOM entry updated., xrefs: 00007FF6570FA688
Failed to find required feed/entry/updated element., xrefs: 00007FF6570FA980
Failed to parse ATOM entry category., xrefs: 00007FF6570FA862
Failed to allocate ATOM entry id., xrefs: 00007FF6570FA528

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString
String ID: Cannot have two content elements in ATOM entry.$Failed to allocate ATOM entry authors.$Failed to allocate ATOM entry categories.$Failed to allocate ATOM entry content.$Failed to allocate ATOM entry id.$Failed to allocate ATOM entry links.$Failed to allocate ATOM entry published.$Failed to allocate ATOM entry summary.$Failed to allocate ATOM entry title.$Failed to allocate ATOM entry updated.$Failed to find required feed/entry/id element.$Failed to find required feed/entry/title element.$Failed to find required feed/entry/updated element.$Failed to get child nodes of ATOM entry element.$Failed to parse ATOM entry author.$Failed to parse ATOM entry category.$Failed to parse ATOM entry content.$Failed to parse ATOM entry link.$Failed to parse unknown ATOM entry element: %ls$Failed to process all ATOM entry elements.$author$category$content$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$link$published$summary$title$updated
API String ID: 3341692771-2592745375
Opcode ID: 6a0daaf6130e23b9235925afa567c147a560c7eba3eeb6340082e00d1bccd2b1
Instruction ID: 53cffad1a6729bbf2c2783b5ac741921090fce6589aac0a011e94b758a9715d9
Opcode Fuzzy Hash: 6a0daaf6130e23b9235925afa567c147a560c7eba3eeb6340082e00d1bccd2b1
Instruction Fuzzy Hash: FB1274F1A08B5A86EB20CF16D88016977E4FB49794F680136D68DE3B64DF3CE549C748

Function 00007FF6570FC364 Relevance: 54.6, APIs: 9, Strings: 22, Instructions: 344COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC3BD
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC3E9
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC434
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC4B5
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC504
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC581
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC5A9
CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D,?,?,?,?,?,00007FF6570C9690), ref: 00007FF6570FC5E3

Strings

Failed to allocate content., xrefs: 00007FF6570FC77F
Failed to allocate application identity., xrefs: 00007FF6570FC639
http://appsyndication.org/2006/appsyn, xrefs: 00007FF6570FC3A4
Failed to parse enclosure., xrefs: 00007FF6570FC858
Failed to allocate content type., xrefs: 00007FF6570FC74F
exclusive, xrefs: 00007FF6570FC568
type, xrefs: 00007FF6570FC41B
version, xrefs: 00007FF6570FC39A, 00007FF6570FC462, 00007FF6570FC4EB
Failed to allocate upgrade id., xrefs: 00007FF6570FC64A
Failed to parse upgrade version string '%ls' from ATOM entry., xrefs: 00007FF6570FC539
Failed to parse version string '%ls' from ATOM entry., xrefs: 00007FF6570FC61C
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 00007FF6570FC54B, 00007FF6570FC691, 00007FF6570FC6BF, 00007FF6570FC7B4, 00007FF6570FC86F
application, xrefs: 00007FF6570FC3D0
Failed to compare version to upgrade version., xrefs: 00007FF6570FC674
Failed to allocate enclosures for application update entry., xrefs: 00007FF6570FC7CA
Upgrade version is greater than or equal to application version., xrefs: 00007FF6570FC6A7
Failed to allocate application summary., xrefs: 00007FF6570FC71B
true, xrefs: 00007FF6570FC590
Failed to allocate application type., xrefs: 00007FF6570FC628
Failed to allocate application title., xrefs: 00007FF6570FC6EF
upgrade, xrefs: 00007FF6570FC49C
enclosure, xrefs: 00007FF6570FC7E7

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to allocate application identity.$Failed to allocate application summary.$Failed to allocate application title.$Failed to allocate application type.$Failed to allocate content type.$Failed to allocate content.$Failed to allocate enclosures for application update entry.$Failed to allocate upgrade id.$Failed to compare version to upgrade version.$Failed to parse enclosure.$Failed to parse upgrade version string '%ls' from ATOM entry.$Failed to parse version string '%ls' from ATOM entry.$Upgrade version is greater than or equal to application version.$application$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-937056351
Opcode ID: 23ea699e5599f4fe506c16e70333afe659531e457d8e6be03ae07f3ab97b0e9d
Instruction ID: 25e8654729592a3bc79509a274f0c51a3c3e2d734cd7d874889b39ca03a1083e
Opcode Fuzzy Hash: 23ea699e5599f4fe506c16e70333afe659531e457d8e6be03ae07f3ab97b0e9d
Instruction Fuzzy Hash: CAF1A3B1B18A4A86EB20DB16D4416BA33E1FF58BA4F484032DA0DE7A54DF3CE55DC748

Function 00007FF6570BF1E4 Relevance: 40.9, APIs: 2, Strings: 21, Instructions: 633COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570BF4F4
CompareStringW.KERNEL32 ref: 00007FF6570BF6FC

Strings

d:\a\wix4\wix4\src\burn\engine\msiengine.cpp, xrefs: 00007FF6570BF2C2, 00007FF6570BF419, 00007FF6570BF466, 00007FF6570BFA07, 00007FF6570BFA2E, 00007FF6570BFBA2, 00007FF6570BFBC1
Invalid state value., xrefs: 00007FF6570BFA1D
Failed to detect compatible package for MSI package., xrefs: 00007FF6570BFA62
Failed to enum related products., xrefs: 00007FF6570BF94B
Language, xrefs: 00007FF6570BF65B
Failed to compare version '%ls' to dependency version: '%ls', xrefs: 00007FF6570BFB33
BA aborted detect MSI feature., xrefs: 00007FF6570BFA3F
Failed to query feature state., xrefs: 00007FF6570BF9F1
Failed to get version for product in user unmanaged context: %ls, xrefs: 00007FF6570BF93F
Failed to compare version '%ls' to installed version: '%ls', xrefs: 00007FF6570BF33F
VersionString, xrefs: 00007FF6570BF240, 00007FF6570BF509, 00007FF6570BF545
Failed to compare related installed version '%ls' to related max version: '%ls', xrefs: 00007FF6570BF8F3
Failed to get product information for ProductCode: %ls, xrefs: 00007FF6570BF45A
Failed to parse installed version: '%ls' for ProductCode: %ls, xrefs: 00007FF6570BF2B6
Failed to detect dependencies for MSI package., xrefs: 00007FF6570BF9E0
Failed to get version for product in machine context: %ls, xrefs: 00007FF6570BF8A6
Failed to compare related installed version '%ls' to related min version: '%ls', xrefs: 00007FF6570BF8CA
Failed to parse related installed version: '%ls' for ProductCode: %ls, xrefs: 00007FF6570BF925
BA aborted detect compatible MSI package., xrefs: 00007FF6570BFBB3
Failed to parse dependency version: '%ls' for ProductCode: %ls, xrefs: 00007FF6570BFABC
BA aborted detect related MSI package., xrefs: 00007FF6570BF427

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect MSI feature.$BA aborted detect compatible MSI package.$BA aborted detect related MSI package.$Failed to compare related installed version '%ls' to related max version: '%ls'$Failed to compare related installed version '%ls' to related min version: '%ls'$Failed to compare version '%ls' to dependency version: '%ls'$Failed to compare version '%ls' to installed version: '%ls'$Failed to detect compatible package for MSI package.$Failed to detect dependencies for MSI package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to parse dependency version: '%ls' for ProductCode: %ls$Failed to parse installed version: '%ls' for ProductCode: %ls$Failed to parse related installed version: '%ls' for ProductCode: %ls$Failed to query feature state.$Invalid state value.$Language$VersionString$d:\a\wix4\wix4\src\burn\engine\msiengine.cpp
API String ID: 1825529933-4240161938
Opcode ID: 0123d77c6365f2c4257f757a9fc96eb2d8538189ded58550cc1b67182254bd5d
Instruction ID: 0f5aab53eb42a6a8018bef2fadb1d7dd3d5530cae4b5d3ca40da9756d5afbe97
Opcode Fuzzy Hash: 0123d77c6365f2c4257f757a9fc96eb2d8538189ded58550cc1b67182254bd5d
Instruction Fuzzy Hash: 77526BB2B08A4A9AEB64CB65D0503AD33E1FB48748F580136DA4DE7B95DF3CF6198740

Function 00007FF6570D2E58 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 248synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

CreateEventW.KERNEL32(?,?,?,?,?,?,00000000,00007FF6570D37B5), ref: 00007FF6570D2EE6
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6570D37B5), ref: 00007FF6570D2EF5
ReleaseMutex.KERNEL32 ref: 00007FF6570D3226

Strings

Failed to create event: %ls, xrefs: 00007FF6570D2F29, 00007FF6570D2FE1
failed to allocate memory for event name, xrefs: 00007FF6570D2F77
d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00007FF6570D2E9F, 00007FF6570D2EBB, 00007FF6570D2F09, 00007FF6570D2F3C, 00007FF6570D2FB7, 00007FF6570D3049, 00007FF6570D30BB, 00007FF6570D3121
Failed to memory map cabinet file: %ls, xrefs: 00007FF6570D30DB
Failed to MapViewOfFile for %ls., xrefs: 00007FF6570D3141
failed to copy event name to shared memory structure., xrefs: 00007FF6570D316C
Failed to allocate memory for NetFxChainer struct., xrefs: 00007FF6570D2EAD
failed to allocate memory for mutex name, xrefs: 00007FF6570D3009
%ls_mutex, xrefs: 00007FF6570D2FF2
%ls_send, xrefs: 00007FF6570D2F60
Failed to create mutex: %ls, xrefs: 00007FF6570D3073

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorEventHeapLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 2541623014-3435579092
Opcode ID: 76613ab1a2616fd746ed7da0be1fbb8cee82fcc707d4b14d28461955692d2df9
Instruction ID: 859baaa34c462927cc13fee8c5e2c985847847b27ce90cd719b90dbcc951cf1c
Opcode Fuzzy Hash: 76613ab1a2616fd746ed7da0be1fbb8cee82fcc707d4b14d28461955692d2df9
Instruction Fuzzy Hash: 44B1BFB1B08B5AC6EB10CB65D48076927E4FB58B90F484539DE4DD3BA0EF3CE4198748

Function 00007FF6570A0488 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 236pipeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570A04EE
CreateNamedPipeW.KERNEL32 ref: 00007FF6570A05EB
GetLastError.KERNEL32 ref: 00007FF6570A05FA
CloseHandle.KERNEL32 ref: 00007FF6570A0800
LocalFree.KERNEL32 ref: 00007FF6570A082B

Strings

Failed to create logging pipe: %ls, xrefs: 00007FF6570A07CC
\\.\pipe\%ls.Log, xrefs: 00007FF6570A072E
\\.\pipe\%ls.Cache, xrefs: 00007FF6570A0651
d:\a\wix4\wix4\src\burn\engine\pipe.cpp, xrefs: 00007FF6570A0502, 00007FF6570A053D, 00007FF6570A0593, 00007FF6570A060E, 00007FF6570A0680, 00007FF6570A06F4, 00007FF6570A07A1, 00007FF6570A07D8
Failed to allocate full name of pipe: %ls, xrefs: 00007FF6570A057D
Failed to create cache pipe: %ls, xrefs: 00007FF6570A071F
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00007FF6570A04DE
Failed to create the security descriptor for the connection event and pipe., xrefs: 00007FF6570A0522
Failed to create pipe: %ls, xrefs: 00007FF6570A0639
Failed to allocate full name of cache pipe: %ls, xrefs: 00007FF6570A0674
Failed to allocate full name of logging pipe: %ls, xrefs: 00007FF6570A0751
\\.\pipe\%ls, xrefs: 00007FF6570A0564

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$CloseCreateFreeHandleLocalNamedPipe
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of logging pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create cache pipe: %ls$Failed to create logging pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
API String ID: 1815745246-2819417629
Opcode ID: 567f2d78391e832f954883df963d1b3695d9fe8fd18bacc2e23b07cc27e715f0
Instruction ID: 1ae13b921e229ff1f5d73818660f1d455e3689742afef4a51e2661b1a942836c
Opcode Fuzzy Hash: 567f2d78391e832f954883df963d1b3695d9fe8fd18bacc2e23b07cc27e715f0
Instruction Fuzzy Hash: 6EB16271B18B4A86EB608F25E8803AA37E4FB847A4F580235DA5DE3794DF3CD519C744

Function 00007FF6570E73D0 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 195encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,?,?,?,?,?,?,00007FF6570A31C2), ref: 00007FF6570E744B
GetLastError.KERNEL32 ref: 00007FF6570E7455
CryptCreateHash.ADVAPI32 ref: 00007FF6570E74AD
GetLastError.KERNEL32 ref: 00007FF6570E74B7
CryptDestroyHash.ADVAPI32 ref: 00007FF6570E75A8
CryptReleaseContext.ADVAPI32 ref: 00007FF6570E75BA
GetLastError.KERNEL32 ref: 00007FF6570E75E4
CryptGetHashParam.ADVAPI32 ref: 00007FF6570E7637
GetLastError.KERNEL32 ref: 00007FF6570E7641
SetFilePointerEx.KERNEL32 ref: 00007FF6570E7698
GetLastError.KERNEL32 ref: 00007FF6570E76A6

Strings

Failed to read data block., xrefs: 00007FF6570E7576
Failed to get file pointer., xrefs: 00007FF6570E76DA
Failed to hash data block., xrefs: 00007FF6570E7618
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp, xrefs: 00007FF6570E7469, 00007FF6570E74CB, 00007FF6570E7556, 00007FF6570E758E, 00007FF6570E75F8, 00007FF6570E7655, 00007FF6570E76BA
@, xrefs: 00007FF6570E7439
Failed to acquire crypto context., xrefs: 00007FF6570E7489
Failed to initiate hash., xrefs: 00007FF6570E74EB
Failed to get hash value., xrefs: 00007FF6570E7675

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CryptErrorLast$Hash$Context$AcquireCreateDestroyFileParamPointerRelease
String ID: @$Failed to acquire crypto context.$Failed to get file pointer.$Failed to get hash value.$Failed to hash data block.$Failed to initiate hash.$Failed to read data block.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\cryputil.cpp
API String ID: 1716956426-2527826350
Opcode ID: 22613951719ddfd963dcee3be013201e57e4ca8e0c656bdd42f3a2475839783b
Instruction ID: 469a1213b7aa671caddca2b978cfd18e8e1dae5f390ea5de3dab29f317acf662
Opcode Fuzzy Hash: 22613951719ddfd963dcee3be013201e57e4ca8e0c656bdd42f3a2475839783b
Instruction Fuzzy Hash: FA819762F2869A86F771CF26D80077622E4BF84B90F594135DD0DE7A94DF3CD9098784

Function 00007FF6570F58AC Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 225registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F5AAE
RegCloseKey.ADVAPI32 ref: 00007FF6570F5B44
RegCloseKey.ADVAPI32 ref: 00007FF6570F5BA9
RegCloseKey.ADVAPI32 ref: 00007FF6570F5BBD
RegCloseKey.ADVAPI32 ref: 00007FF6570F5BD1

Strings

Failed to get the number of dependent subkeys under the dependency "%ls"., xrefs: 00007FF6570F5A8A
Failed to open the registry key for the dependency "%ls"., xrefs: 00007FF6570F5994
Failed to open root registry key "%ls"., xrefs: 00007FF6570F5923
Failed to delete the dependents subkey under the dependency "%ls"., xrefs: 00007FF6570F5AF1
Failed to delete the dependency "%ls"., xrefs: 00007FF6570F5B81
Failed to get the number of values under the dependency "%ls"., xrefs: 00007FF6570F5B24
Failed to delete the dependent "%ls" under the dependency "%ls"., xrefs: 00007FF6570F5A32
Failed to open the dependents subkey under the dependency "%ls"., xrefs: 00007FF6570F59E2
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00007FF6570F5935, 00007FF6570F5A49

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to delete the dependency "%ls".$Failed to delete the dependent "%ls" under the dependency "%ls".$Failed to delete the dependents subkey under the dependency "%ls".$Failed to get the number of dependent subkeys under the dependency "%ls".$Failed to get the number of values under the dependency "%ls".$Failed to open root registry key "%ls".$Failed to open the dependents subkey under the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
API String ID: 3535843008-1164676106
Opcode ID: 8c98d7096498dbc8c69f88c578c4fa4eb06364381833420200c8288e9a3840ad
Instruction ID: 1d6b6d7241260afa27bcf2dc931eddc2e63ab03a718fdf8c92d74ee67f230cfd
Opcode Fuzzy Hash: 8c98d7096498dbc8c69f88c578c4fa4eb06364381833420200c8288e9a3840ad
Instruction Fuzzy Hash: 26A18EA2B1CB1B86FB208BA2D8D17BA23E4AF44354F1C4535DE1DE6A84DF7CE4488344

Function 00007FF6570C2E38 Relevance: 24.1, Strings: 19, Instructions: 369COMMON

Download Yara Rule

Strings

WixBundleExecutePackageAction, xrefs: 00007FF6570C2FB3, 00007FF6570C340C
Failed to enable logging for package: %ls to: %ls, xrefs: 00007FF6570C3120
PATCH="%ls", xrefs: 00007FF6570C31CC, 00007FF6570C31F9
Failed to add properties to argument string., xrefs: 00007FF6570C316B
Failed to build MSP path., xrefs: 00007FF6570C3009
WixBundleExecutePackageCacheFolder, xrefs: 00007FF6570C2F12, 00007FF6570C33EF
Failed to initialize internal UI for MSP package., xrefs: 00007FF6570C2FF8
Failed to install MSP package., xrefs: 00007FF6570C3305
Failed to add PATCH property to argument string., xrefs: 00007FF6570C31E3
Failed to add action property to argument string., xrefs: 00007FF6570C3248
Failed to semi-colon delimit patches., xrefs: 00007FF6570C307A
Failed to get cached path for MSP package: %ls, xrefs: 00007FF6570C304C
Failed to add action property to obfuscated argument string., xrefs: 00007FF6570C3280
Failed to uninstall MSP package., xrefs: 00007FF6570C3331
Failed to append patch., xrefs: 00007FF6570C3088
Failed to initialize external UI handler., xrefs: 00007FF6570C30BD
d:\a\wix4\wix4\src\burn\engine\mspengine.cpp, xrefs: 00007FF6570C301A, 00007FF6570C303B, 00007FF6570C3114, 00007FF6570C3342
Failed to add PATCH property to obfuscated argument string., xrefs: 00007FF6570C3210
Failed to add properties to obfuscated argument string., xrefs: 00007FF6570C31B0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: PATCH="%ls"$Failed to add PATCH property to argument string.$Failed to add PATCH property to obfuscated argument string.$Failed to add action property to argument string.$Failed to add action property to obfuscated argument string.$Failed to add properties to argument string.$Failed to add properties to obfuscated argument string.$Failed to append patch.$Failed to build MSP path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for MSP package: %ls$Failed to initialize external UI handler.$Failed to initialize internal UI for MSP package.$Failed to install MSP package.$Failed to semi-colon delimit patches.$Failed to uninstall MSP package.$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$d:\a\wix4\wix4\src\burn\engine\mspengine.cpp
API String ID: 0-3726864999
Opcode ID: 2de498033f03e5d447aca2b2c87ba6402b5d765bf1f6cd61e8994a212497dde9
Instruction ID: 63e47d4bd3055ddb04fe711f263be59420f63ae77f1d39b8ef286e75d2698ea5
Opcode Fuzzy Hash: 2de498033f03e5d447aca2b2c87ba6402b5d765bf1f6cd61e8994a212497dde9
Instruction Fuzzy Hash: E102C372B18B4A86EB20CB11E4506AEB7A4FB88794F580136DE4CE7B54DF3DE159CB00

Function 00007FF6570F1ED0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F3090: GetFileSizeEx.KERNEL32 ref: 00007FF6570F30A7
Part of subcall function 00007FF6570F3090: GetLastError.KERNEL32 ref: 00007FF6570F30B1

SetFilePointerEx.KERNEL32(?,00000000,?,00000000,?,00000001,?,?,00007FF6570CBF1F,?,?,?,?,00000000,00000000,?), ref: 00007FF6570F1FBE
SetEndOfFile.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6570CECC6), ref: 00007FF6570F1FC7
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,00007FF6570CECC6), ref: 00007FF6570F1FD1

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F1FE5, 00007FF6570F2047, 00007FF6570F2184, 00007FF6570F21B9
Failed to write to target., xrefs: 00007FF6570F2162
Failed to set end of target file., xrefs: 00007FF6570F2003
Failed to get size of source., xrefs: 00007FF6570F1F3F
Failed to reset target file pointer., xrefs: 00007FF6570F2065
Failed to read from source., xrefs: 00007FF6570F21A2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: File$ErrorLast$PointerSize
String ID: Failed to get size of source.$Failed to read from source.$Failed to reset target file pointer.$Failed to set end of target file.$Failed to write to target.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 1903691966-2291708945
Opcode ID: ef2983a31ace188120a8058b9423d34906c611ed0e308f82cb4799c250dd8c03
Instruction ID: e839261e40a30c513d61925c9413b76182d57099c4ce504a2c427046fed9cccd
Opcode Fuzzy Hash: ef2983a31ace188120a8058b9423d34906c611ed0e308f82cb4799c250dd8c03
Instruction Fuzzy Hash: BF81B672B18B5682E7618B26E850B7A63D4FB84790F480135EE4DE7B54DF3CE548CB48

Function 00007FF65709B068 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA564: RegCloseKey.ADVAPI32 ref: 00007FF6570EA642

RegCloseKey.ADVAPI32 ref: 00007FF65709B1E7

Strings

SOFTWARE\Microsoft\ServerManager, xrefs: 00007FF65709B095
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update, xrefs: 00007FF65709B130
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00007FF65709B157, 00007FF65709B176
PendingFileRenameOperations2, xrefs: 00007FF65709B16F
SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF65709B19D
PendingFileRenameOperations, xrefs: 00007FF65709B150
AUState, xrefs: 00007FF65709B124
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress, xrefs: 00007FF65709B101
UpdateExeVolatile, xrefs: 00007FF65709B0B6
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending, xrefs: 00007FF65709B0E2
SOFTWARE\Microsoft\Updates, xrefs: 00007FF65709B0C2
CurrentRebootAttempts, xrefs: 00007FF65709B08B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: AUState$CurrentRebootAttempts$PendingFileRenameOperations$PendingFileRenameOperations2$SOFTWARE\Microsoft\ServerManager$SOFTWARE\Microsoft\Updates$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress$SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending$SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update$SYSTEM\CurrentControlSet\Control\Session Manager$SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations$UpdateExeVolatile
API String ID: 3535843008-3032311648
Opcode ID: 49b7623804ec5af1792cd0e26b287ef11a3a56b42638c72f1400bbc35731a22d
Instruction ID: d1aa6754f40b8662c04b058cfaab9a961bdac28df9a8fa6a9dcf4a1607797b13
Opcode Fuzzy Hash: 49b7623804ec5af1792cd0e26b287ef11a3a56b42638c72f1400bbc35731a22d
Instruction Fuzzy Hash: 8A4196A2B0875BC6FB20AB21D841AF523D0AF597D8F891132DD0DE7A95DF6CE149C304

Function 00007FF6570C8184 Relevance: 21.7, Strings: 17, Instructions: 443COMMON

Download Yara Rule

Strings

Failed to create dictionary for planned packages., xrefs: 00007FF6570C822B
Failed to allocate the custom working directory., xrefs: 00007FF6570C87F5
Failed to calculate plan for related bundle: %ls, xrefs: 00007FF6570C878B
Failed to get the list of dependencies to ignore., xrefs: 00007FF6570C81ED
Failed to copy the list of dependencies to ignore., xrefs: 00007FF6570C8727
Failed to allocate the list of ancestors., xrefs: 00007FF6570C87E7
Failed to check the dictionary for a related bundle provider key: "%ls"., xrefs: 00007FF6570C8704
d:\a\wix4\wix4\src\burn\engine\plan.cpp, xrefs: 00007FF6570C81FF, 00007FF6570C8324
Failed to begin plan dependency actions to package: %ls, xrefs: 00007FF6570C8746
Failed to allocate the list of dependencies to ignore., xrefs: 00007FF6570C87D9
Failed to plan related bundle package provider actions., xrefs: 00007FF6570C87B1
Failed to append restore related bundle action to plan., xrefs: 00007FF6570C8803
Failed to grow plan's array of restore related bundle actions., xrefs: 00007FF6570C8614
BA aborted plan restore related bundle., xrefs: 00007FF6570C8823
Failed to complete plan dependency actions for related bundle package: %ls, xrefs: 00007FF6570C875D, 00007FF6570C87A5
Failed to begin plan dependency actions for related bundle package: %ls, xrefs: 00007FF6570C87CD
Failed to add to plan related bundle: %ls, xrefs: 00007FF6570C8774

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: BA aborted plan restore related bundle.$Failed to add to plan related bundle: %ls$Failed to allocate the custom working directory.$Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to append restore related bundle action to plan.$Failed to begin plan dependency actions for related bundle package: %ls$Failed to begin plan dependency actions to package: %ls$Failed to calculate plan for related bundle: %ls$Failed to check the dictionary for a related bundle provider key: "%ls".$Failed to complete plan dependency actions for related bundle package: %ls$Failed to copy the list of dependencies to ignore.$Failed to create dictionary for planned packages.$Failed to get the list of dependencies to ignore.$Failed to grow plan's array of restore related bundle actions.$Failed to plan related bundle package provider actions.$d:\a\wix4\wix4\src\burn\engine\plan.cpp
API String ID: 0-2008653302
Opcode ID: 99fb9671b880673ce46979269a9774a41e386a632474ad8ab5a0102e74933644
Instruction ID: 2d6b5704b6abece34c51e648f4c34585e225d0b13c8dc5a991e61066bc4ccd89
Opcode Fuzzy Hash: 99fb9671b880673ce46979269a9774a41e386a632474ad8ab5a0102e74933644
Instruction Fuzzy Hash: 7912E1B2B08A8A86EB648B15D44877AB3E9FB84385F184135DA0DE77D4DF3CE458C714

Function 00007FF6570A40C4 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 230COMMON

Download Yara Rule

Strings

Failed to transfer working path to unverified path for payload: %ls., xrefs: 00007FF6570A422F
Aborted transferring working path to unverified path for payload: %ls., xrefs: 00007FF6570A4295
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A4132, 00007FF6570A41BB, 00007FF6570A43D1, 00007FF6570A440E
Failed to create unverified path., xrefs: 00007FF6570A41AA
Failed to reset permissions on unverified cached payload: %ls, xrefs: 00007FF6570A42C0
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00007FF6570A4402
Failed to get cached path for package with cache id: %ls, xrefs: 00007FF6570A4121
Failed to verify payload: %ls at path: %ls, xrefs: 00007FF6570A4333
moving, xrefs: 00007FF6570A4343
Failed to move verified file to complete payload path: %ls, xrefs: 00007FF6570A43AE
copying, xrefs: 00007FF6570A434E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Aborted transferring working path to unverified path for payload: %ls.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$Failed to verify payload: %ls at path: %ls$copying$d:\a\wix4\wix4\src\burn\engine\cache.cpp$moving
API String ID: 0-1123430254
Opcode ID: 21c607fde78656ea0af1cbd3214195cc5f6d5847ee0ef46d9fad955cb31a2b4c
Instruction ID: 661c1968c249cd1980684be9ecde0a01dc66b70ee5a29631f04a32016ee9c492
Opcode Fuzzy Hash: 21c607fde78656ea0af1cbd3214195cc5f6d5847ee0ef46d9fad955cb31a2b4c
Instruction Fuzzy Hash: 3EA19F76718B4682EB208F66E8806AA73E4FB88784F444135FE8DE7B59DF7CD1158704

Function 00007FF6570E8F38 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6570E8F7E
GetLastError.KERNEL32 ref: 00007FF6570E8F88
OpenProcessToken.ADVAPI32 ref: 00007FF6570E8FFB
GetLastError.KERNEL32 ref: 00007FF6570E9005
CloseHandle.KERNEL32 ref: 00007FF6570E90E5

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E8F9C, 00007FF6570E8FD3, 00007FF6570E9019, 00007FF6570E904B, 00007FF6570E909F
Failed to get privilege LUID: %ls, xrefs: 00007FF6570E8FBC
Failed to get process token to adjust privileges., xrefs: 00007FF6570E903F
Failed to adjust token to add privilege: %ls, xrefs: 00007FF6570E90BF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
String ID: Failed to adjust token to add privilege: %ls$Failed to get privilege LUID: %ls$Failed to get process token to adjust privileges.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 1673749002-2883319381
Opcode ID: fe9d2d278bc2d0aa03a023330ebbcf48377f5e497944df9345d58de9ad3c922f
Instruction ID: 885d47f3db16e33b97a839bd4801e0461f1dde48fcecc1fc7d7d4b9040c33d4d
Opcode Fuzzy Hash: fe9d2d278bc2d0aa03a023330ebbcf48377f5e497944df9345d58de9ad3c922f
Instruction Fuzzy Hash: D851A571F1874A8AFB10CF66E8853AA63E4AF48B50F58413ADA4DD3654CF3CD509C744

Function 00007FF65708B140 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

Failed to get OS info., xrefs: 00007FF65708B1A5
d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708B30E
Failed to set variant value., xrefs: 00007FF65708B2FA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeLibrary
String ID: Failed to get OS info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3664257935-2618661516
Opcode ID: 2db4bdd0001c59e4aa0796259fda7b12461a35bfaf5bde8f15e37dba9e5f5281
Instruction ID: f795cf0c1bed547571db19553f8bc94833edd674530e85929d4294f0eb931e9e
Opcode Fuzzy Hash: 2db4bdd0001c59e4aa0796259fda7b12461a35bfaf5bde8f15e37dba9e5f5281
Instruction Fuzzy Hash: EB517EB2A1CB8E86EB609B65E4841BD27E1FB49784F0C0035E94DE7B94DE3CE50A8700

Function 00007FF6570CA0F0 Relevance: 13.0, Strings: 10, Instructions: 520COMMON

Download Yara Rule

Strings

BA aborted cache acquire begin., xrefs: 00007FF6570CA273
Failed to search local source., xrefs: 00007FF6570CA5EC
BA aborted cache acquire resolving., xrefs: 00007FF6570CA5BA
Failed to extract container for payload: %ls, xrefs: 00007FF6570CA6BA
Failed to determine if payload paths were equivalent, source: %ls, destination: %ls., xrefs: 00007FF6570CA745
d:\a\wix4\wix4\src\burn\engine\apply.cpp, xrefs: 00007FF6570CA262, 00007FF6570CA281, 00007FF6570CA550, 00007FF6570CA5A9, 00007FF6570CA5CC, 00007FF6570CA635, 00007FF6570CA66F, 00007FF6570CA739, 00007FF6570CA795
Failed to copy payload: %ls, xrefs: 00007FF6570CA785
Failed to download payload: %ls, xrefs: 00007FF6570CA6E4
Failed to resolve source, payload: %ls, package: %ls, container: %ls, xrefs: 00007FF6570CA676
Failed to compare '%ls' to '%ls'., xrefs: 00007FF6570CA576

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: BA aborted cache acquire begin.$BA aborted cache acquire resolving.$Failed to compare '%ls' to '%ls'.$Failed to copy payload: %ls$Failed to determine if payload paths were equivalent, source: %ls, destination: %ls.$Failed to download payload: %ls$Failed to extract container for payload: %ls$Failed to resolve source, payload: %ls, package: %ls, container: %ls$Failed to search local source.$d:\a\wix4\wix4\src\burn\engine\apply.cpp
API String ID: 0-1652660176
Opcode ID: 09fdb8d960be019bac527b6bef8af59234a21c63b06d788ff599e6fa33b5e26c
Instruction ID: d3d0114e934fbd994e152b3bf85f605615e4d35af3c1d0f21b3641f361e65851
Opcode Fuzzy Hash: 09fdb8d960be019bac527b6bef8af59234a21c63b06d788ff599e6fa33b5e26c
Instruction Fuzzy Hash: 233279B2B18A5A8AE760CF65D4806AEB3E9FB48784F184135DE4DE7B54DF38E409C710

Function 00007FF6570D42EC Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6570D4308
RtlCaptureContext.KERNEL32 ref: 00007FF6570D4335
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6570D434F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6570D4390
IsDebuggerPresent.KERNEL32 ref: 00007FF6570D43E4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6570D4405
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6570D4410

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: f0cf7bd9e4cc2a76a56b3a9d04e710952a6c06f4d5dee41621f74f624ae6ed04
Instruction ID: bfead3e9af825b909bdd8264c4b7bae69d02beafecded0fb58c196db730a32c7
Opcode Fuzzy Hash: f0cf7bd9e4cc2a76a56b3a9d04e710952a6c06f4d5dee41621f74f624ae6ed04
Instruction Fuzzy Hash: B9314DB6609B8586EBA0CF60E8403ED73A4FB84744F48403AEA4DD7B98DF78D548C718

Function 00007FF6570DA42C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6570DA4A5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6570DA4BD
RtlVirtualUnwind.KERNEL32 ref: 00007FF6570DA4F8
IsDebuggerPresent.KERNEL32 ref: 00007FF6570DA531
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6570DA53B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6570DA546

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: dd397338ec1154c038745e4b552c8848acb7150cb8a925169b08ec19b4cfdff6
Instruction ID: 18f03aa7d418a793fd0a804fc4d72fef31eb042746edc99ae38ecf581a33fa8b
Opcode Fuzzy Hash: dd397338ec1154c038745e4b552c8848acb7150cb8a925169b08ec19b4cfdff6
Instruction Fuzzy Hash: 9B3191B6618F8586DB60CF24E8402AE73A0FB89754F580136EA8DD7B58EF3CD549CB04

Function 00007FF65708AF70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF65708AFA4
GetLastError.KERNEL32 ref: 00007FF65708AFAE

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708AFCB, 00007FF65708B011
Failed to get the user name., xrefs: 00007FF65708AFDC
Failed to set variant value., xrefs: 00007FF65708B000

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 2054405381-561454448
Opcode ID: d612b94d3614895253c97630b7148fd6dd8cb543d1cb525fad57538f601ea861
Instruction ID: 8778b71afee76795cfd12f123c59bb42372730751b696e661d725d0282c14cd8
Opcode Fuzzy Hash: d612b94d3614895253c97630b7148fd6dd8cb543d1cb525fad57538f601ea861
Instruction Fuzzy Hash: F61172A1B18B8682FB209B15E89476A63A0FF84794F884035DA8DD7A55EF2CD51D8B00

Function 00007FF6570DE914 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570DE960
FindFirstFileExW.KERNEL32 ref: 00007FF6570DEA6A

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 9569b9c0d11f0f413ef65a1dff9195b99827b5b19e9f0eb0b95eec3e638f3f1f
Instruction ID: 0cc9eade1a30d7f5409fb52b079838a6218b350d57a0b81d2133251c62e43945
Opcode Fuzzy Hash: 9569b9c0d11f0f413ef65a1dff9195b99827b5b19e9f0eb0b95eec3e638f3f1f
Instruction Fuzzy Hash: 75B1C4A2B1879A41EB609B25D8041BAA3D1FB44BE4F4C5131EA4EE7BC5DE3CF4498308

Function 00007FF6570A4460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570879E8: CreateDirectoryW.KERNELBASE ref: 00007FF657087A0C
Part of subcall function 00007FF6570879E8: GetLastError.KERNEL32 ref: 00007FF657087A1A

DecryptFileW.ADVAPI32 ref: 00007FF6570A44B7

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A4492
Failed create acquisition folder., xrefs: 00007FF6570A4486

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateDecryptDirectoryErrorFileLast
String ID: Failed create acquisition folder.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 4153065963-4185204549
Opcode ID: 31d8d7e0e87acfede34b7408c3ad5307cd86d43e3fd238e7a074322bbf165390
Instruction ID: 8e5c39cbe902b138430ac0f9da28e1973a848be96c68793eb0694ddfe8e68faa
Opcode Fuzzy Hash: 31d8d7e0e87acfede34b7408c3ad5307cd86d43e3fd238e7a074322bbf165390
Instruction Fuzzy Hash: D6F09066B18A4A83E7108F26E4801BA63E1FBC8784F984035DA5CD7764DF3CD45A8B04

Function 00007FF6570E1830 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6570E1896
memcpy_s.LIBCPMT ref: 00007FF6570E18C1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: cc81cd3ac1b567683db4a9a378c90754975d486612a1ac658515e2d66ad77290
Instruction ID: da5ed8eee1a539ce1950fb20e7cfcd38bba56916466aabaf54060646949710f0
Opcode Fuzzy Hash: cc81cd3ac1b567683db4a9a378c90754975d486612a1ac658515e2d66ad77290
Instruction Fuzzy Hash: 10C1E4B2B2868E87E7248F15A04466AB7D1F784B84F489235DF4AEB744DF3DE845CB40

Function 00007FF6570E6398 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6570E65E7
RaiseException.KERNEL32 ref: 00007FF6570E65F8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 62a65e8e68d52042a0e1946782109eadefa1f3f61b0d6ee731664c0ed1f695e5
Instruction ID: b79c561ff54be2980a325274e9a19e314c9c141b42f6b01dd87e01dfd600f46f
Opcode Fuzzy Hash: 62a65e8e68d52042a0e1946782109eadefa1f3f61b0d6ee731664c0ed1f695e5
Instruction Fuzzy Hash: 8BB138B3614B8A8AEB15CF29D8863683BE0F744B48F198926DE5DC77A8CF39D455C700

Function 00007FF6570F2798 Relevance: 3.0, APIs: 2, Instructions: 38fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF6570F27DE
FindClose.KERNEL32 ref: 00007FF6570F27ED

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e0d6984bcc9757d2926cda4b2d61a9e377d07a2c4eda70cd5c0a03789cefe777
Instruction ID: 86ece6f300885cac6b8d78846c83d6b49bcc286cf9ad3cb92a7638360950e493
Opcode Fuzzy Hash: e0d6984bcc9757d2926cda4b2d61a9e377d07a2c4eda70cd5c0a03789cefe777
Instruction Fuzzy Hash: 5F019675B0968581EB70CB15E44566973D0FB88BA4F484231DD9CD7B84CF3CE50A8B00

Function 00007FF6570D94A0 Relevance: 2.8, Strings: 2, Instructions: 350COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00007FF6570D960E
, xrefs: 00007FF6570D9850

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 329c1cafed81ea7fb3e0d374ec61d91405ddcb2724f8b376174e0f80c7b4a995
Instruction ID: 3115810c1fe946f6fd2ca0457842f49c6f339ba6e2d3bfcfb180734ba55c0e9f
Opcode Fuzzy Hash: 329c1cafed81ea7fb3e0d374ec61d91405ddcb2724f8b376174e0f80c7b4a995
Instruction Fuzzy Hash: 55E190F2A2874A85EF688F25815813D23E0FF45B48F1C4235DA4FE7698DE39E859C708

Function 00007FF6570DD0FC Relevance: 2.6, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

Strings

e+000, xrefs: 00007FF6570DD209
gfff, xrefs: 00007FF6570DD286

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 6a5ef61c77c0e5bf8e7cb535029f032ef04d5b4af68dc8fe3c252bbf8ea3ebb7
Instruction ID: 4e281e5fb4f6c0bb14092e6896532eb30f55fb462849851af3c9c5463b6b37fb
Opcode Fuzzy Hash: 6a5ef61c77c0e5bf8e7cb535029f032ef04d5b4af68dc8fe3c252bbf8ea3ebb7
Instruction Fuzzy Hash: 885157E6B183E946E7258B35D8007696BD1E794B94F0C9232CBA8DBBC1DE3DD4498704

Function 00007FF6570B8180 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd680396472452cf544b22d0b8cdbc9226a7d8252b8d1b8dd7f91ab9b7df97
Instruction ID: 836bd91c8bb163a77dee6af52f5c1f9db242406cda342304248e11fdc4403b65
Opcode Fuzzy Hash: c5bd680396472452cf544b22d0b8cdbc9226a7d8252b8d1b8dd7f91ab9b7df97
Instruction Fuzzy Hash: 4C2233E1B1865742EB28D73BCA6057D57D1EF84B80B0C8031CF0DE3AA6DE29F959D681

Function 00007FF6570DD77C Relevance: .2, Instructions: 198COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e8e40c479a1db29b81c02b322a209602ca22b4a94111bdb6f8812a63089a74
Instruction ID: da0662b46d3baaa6c3e884cb723d23e2b129de75fef1b49bfe4a67a90a61cbd7
Opcode Fuzzy Hash: 25e8e40c479a1db29b81c02b322a209602ca22b4a94111bdb6f8812a63089a74
Instruction Fuzzy Hash: 6C81F5F2A0C79985E774CB19944037AB6D1FB45794F18823ADA8DD3B89DF3DE40A8B04

Function 00007FF6570D88D4 Relevance: .1, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4511e46d3dad8bb9131fcbe58f47e52a3bb0c7fd98dab0744a1f68c8f35f932a
Instruction ID: 05d37ce2d4030e76f607982b780b6f125660ff5ea4edae4e4a9c4329e958bd3f
Opcode Fuzzy Hash: 4511e46d3dad8bb9131fcbe58f47e52a3bb0c7fd98dab0744a1f68c8f35f932a
Instruction Fuzzy Hash: B85170B6A1875A86E7248B29C04023877E1EB45F68F2C5131CA8DE77D4CF3AF846C749

Function 00007FF6570D86C8 Relevance: .1, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccef08dcac92de96f80e62e39422300b1b07a4443c4a4c576b31c173fb34a7b9
Instruction ID: 4ac247e1ea4f7ff7e9f5cf47a2099f66b3501a3553523d089975205a6fe6c80b
Opcode Fuzzy Hash: ccef08dcac92de96f80e62e39422300b1b07a4443c4a4c576b31c173fb34a7b9
Instruction Fuzzy Hash: 18516FB6A1875986E764CB29C04463837E1EB44B68F2C4131CE4DE77D4DF3AE886C788

Function 00007FF6570D84BC Relevance: .1, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaa4d226cfc6ad080383ae9afbcffa98b1d4b02c4f348a8229da7f61345b46b
Instruction ID: 60810ee4ac7664fa38e363ac253937669c435c4ea814c6c1f8efb6a6999840d4
Opcode Fuzzy Hash: aeaa4d226cfc6ad080383ae9afbcffa98b1d4b02c4f348a8229da7f61345b46b
Instruction Fuzzy Hash: 075161B6A18B5986E7258B29D05423837E0EB54BA8F2C4131CE4DE77D8CF3AE857C744

Function 00007FF6570C37AC Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9737d1d36a664a2d1eac21050ef45ebe19750109be73a891a133502aaa51538e
Instruction ID: 93cec9d79286c87273f25f29e5e70feeb230d8e9736691415e53f21cfe0aaada
Opcode Fuzzy Hash: 9737d1d36a664a2d1eac21050ef45ebe19750109be73a891a133502aaa51538e
Instruction Fuzzy Hash: 204188B2F1834B86F6B95F25A74453DF6DAAB90345F6C9039C50DF3588CD38A90D8622

Function 00007FF6570E5E80 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140e1e4fe610231bdf40aa9f7ae1b81fc1c56197c0420741d93748ed80b38af4
Instruction ID: 65020763db02e03f1dcb38f351a8426dd50e58d35df690c97f6a644025d3884b
Opcode Fuzzy Hash: 140e1e4fe610231bdf40aa9f7ae1b81fc1c56197c0420741d93748ed80b38af4
Instruction Fuzzy Hash: C5F068727182598FEBE9DF2DA84262977D0E708384F588139D58DD3B14DA7C94909F04

Function 00007FF6570D44D0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d87e52002873939cdd41a68ab5698367994441df2833cf10978d5824ac9a8d
Instruction ID: 378ebe113476c79c4c1f964d7dd6e949b76758b94e2c170b1b89a3181e5a9f9d
Opcode Fuzzy Hash: a2d87e52002873939cdd41a68ab5698367994441df2833cf10978d5824ac9a8d
Instruction Fuzzy Hash: 30A001A990895AD0E7948B00E85406822A1BB50354B484132E41DE50A0DE6CA4888208

Function 00007FF6570C6880 Relevance: 70.2, APIs: 19, Strings: 21, Instructions: 238COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570C68AB
_cwprintf_s_l.LIBCMT ref: 00007FF6570C68C4
_cwprintf_s_l.LIBCMT ref: 00007FF6570C68D7
_cwprintf_s_l.LIBCMT ref: 00007FF6570C68EA
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6904
_cwprintf_s_l.LIBCMT ref: 00007FF6570C691E
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6938
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6952
_cwprintf_s_l.LIBCMT ref: 00007FF6570C696C
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6986
_cwprintf_s_l.LIBCMT ref: 00007FF6570C69A0
_cwprintf_s_l.LIBCMT ref: 00007FF6570C69BA
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6A33
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6AA6
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6AB9
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6B5D
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6B71
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6BC3
_cwprintf_s_l.LIBCMT ref: 00007FF6570C6C02

Strings

disallow-removal: %hs, xrefs: 00007FF6570C6962
Plan cache size: %llu, xrefs: 00007FF6570C6A29
Restore action[%u]: RELATED_BUNDLE package id: %ls, action: %hs, ignore dependencies: %ls, xrefs: 00007FF6570C6B3E
layout directory: %ls, xrefs: 00007FF6570C69B0
overall progress ticks: %u, xrefs: 00007FF6570C6AAF
--- End plan dump ---, xrefs: 00007FF6570C6C12
Plan action: %hs, xrefs: 00007FF6570C68BA
(deleted action), xrefs: 00007FF6570C6B67
Dependency action[%u]: PLANNED_PROVIDER key: %ls, name: %ls, xrefs: 00007FF6570C6BF6
can affect machine state: %hs, xrefs: 00007FF6570C692E
downgrade: %hs, xrefs: 00007FF6570C697C
bundle id: %ls, xrefs: 00007FF6570C68CD
disable-rollback: %hs, xrefs: 00007FF6570C6948
Clean action[%u]: CLEAN_PACKAGE package id: %ls, xrefs: 00007FF6570C6BA6
bundle provider key: %ls, xrefs: 00007FF6570C68E0
registration options: %hs, xrefs: 00007FF6570C6996
use-forward-compatible: %hs, xrefs: 00007FF6570C68FA
Plan execute package count: %u, xrefs: 00007FF6570C6A9C
per-machine: %hs, xrefs: 00007FF6570C6914
Clean action[%u]: CLEAN_COMPATIBLE_PACKAGE package id: %ls, xrefs: 00007FF6570C6BAF
--- Begin plan dump ---, xrefs: 00007FF6570C689B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: (deleted action)$ bundle id: %ls$ bundle provider key: %ls$ can affect machine state: %hs$ disable-rollback: %hs$ disallow-removal: %hs$ downgrade: %hs$ layout directory: %ls$ overall progress ticks: %u$ per-machine: %hs$ registration options: %hs$ use-forward-compatible: %hs$ Clean action[%u]: CLEAN_COMPATIBLE_PACKAGE package id: %ls$ Clean action[%u]: CLEAN_PACKAGE package id: %ls$ Dependency action[%u]: PLANNED_PROVIDER key: %ls, name: %ls$--- Begin plan dump ---$--- End plan dump ---$Plan action: %hs$Plan cache size: %llu$Plan execute package count: %u$Restore action[%u]: RELATED_BUNDLE package id: %ls, action: %hs, ignore dependencies: %ls
API String ID: 2941638530-1818579274
Opcode ID: 5a1bb4c31ab7ea3ff988ac4ddb390d951e7e468c61ea87ebe580e861683dac08
Instruction ID: cf82499a450f6eb5c148de32371c176de37d380f31872c78b6ca71a4d5576470
Opcode Fuzzy Hash: 5a1bb4c31ab7ea3ff988ac4ddb390d951e7e468c61ea87ebe580e861683dac08
Instruction Fuzzy Hash: A4B1B1F2A0464A92DB24AF14D4501BD63A5FB84B94F0C4136DA1DFB39ADE3DE988C790

Function 00007FF6570C4F38 Relevance: 66.8, APIs: 14, Strings: 24, Instructions: 346COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570C5062
_cwprintf_s_l.LIBCMT ref: 00007FF6570C509E
_cwprintf_s_l.LIBCMT ref: 00007FF6570C5125
_cwprintf_s_l.LIBCMT ref: 00007FF6570C5173
_cwprintf_s_l.LIBCMT ref: 00007FF6570C5208
_cwprintf_s_l.LIBCMT ref: 00007FF6570C522E
_cwprintf_s_l.LIBCMT ref: 00007FF6570C5290
_cwprintf_s_l.LIBCMT ref: 00007FF6570C5345
_cwprintf_s_l.LIBCMT ref: 00007FF6570C537F
_cwprintf_s_l.LIBCMT ref: 00007FF6570C53E1
_cwprintf_s_l.LIBCMT ref: 00007FF6570C542C
_cwprintf_s_l.LIBCMT ref: 00007FF6570C545D
_cwprintf_s_l.LIBCMT ref: 00007FF6570C54A4
_cwprintf_s_l.LIBCMT ref: 00007FF6570C54C8

Strings

%ls action[%u]: ROLLBACK_BOUNDARY_START id: %ls, vital: %ls, xrefs: 00007FF6570C53A3
Patch[%u]: msp package id: %ls, action: %hs, xrefs: 00007FF6570C515E
%ls action[%u]: EXE_PACKAGE package id: %ls, action: %hs, xrefs: 00007FF6570C5197
%ls action[%u]: MSP_TARGET package id: %ls, action: %hs, target product code: %ls, target per-machine: %hs, action msi property: %ls, ui level: %u, disable externaluihandler: %hs, file versioning: %hs, log path: %ls, xrefs: 00007FF6570C5056
%ls action[%u]: CHECKPOINT id: %u, msi transaction id: %ls, xrefs: 00007FF6570C5277
(none), xrefs: 00007FF6570C526D
%ls action[%u]: UNCACHE_PACKAGE id: %ls, xrefs: 00007FF6570C5216
%ls action[%u]: BEGIN_MSI_TRANSACTION id: %ls, xrefs: 00007FF6570C5363
Patch[%u]: order: %u, msp package id: %ls, xrefs: 00007FF6570C5092
%ls action[%u]: PACKAGE_DEPENDENCY package id: %ls, bundle provider key: %ls, xrefs: 00007FF6570C53CF
(deleted action), xrefs: 00007FF6570C54BE
Rollback, xrefs: 00007FF6570C4F57
%ls action[%u]: MSI_PACKAGE package id: %ls, action: %hs, action msi property: %ls, ui level: %u, disable externaluihandler: %hs, file versioning: %hs, log path: %ls, logging attrib: %u, xrefs: 00007FF6570C5119
%ls action[%u]: MSU_PACKAGE package id: %ls, action: %hs, log path: %ls, xrefs: 00007FF6570C52B7
%ls action[%u]: ROLLBACK_BOUNDARY_END, xrefs: 00007FF6570C5372
%ls action[%u]: UNINSTALL_MSI_COMPATIBLE_PACKAGE package id: %ls, compatible package id: %ls, cache id: %ls, log path: %ls, logging attrib: %u, xrefs: 00007FF6570C5316
%ls action[%u]: BUNDLE_PACKAGE package id: %ls, action: %hs, xrefs: 00007FF6570C51BC
Execute, xrefs: 00007FF6570C4F61
%ls action[%u]: PACKAGE_PROVIDER package id: %ls, xrefs: 00007FF6570C544B
%ls action[%u]: RELATED_BUNDLE package id: %ls, action: %hs, ignore dependencies: %ls, xrefs: 00007FF6570C51F3
Provider[%u]: key: %ls, action: %hs, xrefs: 00007FF6570C541A, 00007FF6570C5492
%ls action[%u]: COMMIT_MSI_TRANSACTION id: %ls, xrefs: 00007FF6570C5353
%ls action[%u]: WAIT_CACHE_PACKAGE id: %ls, event handle: 0x%p, xrefs: 00007FF6570C523C
yes, xrefs: 00007FF6570C5394

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: (deleted action)$ Patch[%u]: msp package id: %ls, action: %hs$ Patch[%u]: order: %u, msp package id: %ls$ Provider[%u]: key: %ls, action: %hs$ Execute$ Rollback$%ls action[%u]: BEGIN_MSI_TRANSACTION id: %ls$%ls action[%u]: BUNDLE_PACKAGE package id: %ls, action: %hs$%ls action[%u]: CHECKPOINT id: %u, msi transaction id: %ls$%ls action[%u]: COMMIT_MSI_TRANSACTION id: %ls$%ls action[%u]: EXE_PACKAGE package id: %ls, action: %hs$%ls action[%u]: MSI_PACKAGE package id: %ls, action: %hs, action msi property: %ls, ui level: %u, disable externaluihandler: %hs, file versioning: %hs, log path: %ls, logging attrib: %u$%ls action[%u]: MSP_TARGET package id: %ls, action: %hs, target product code: %ls, target per-machine: %hs, action msi property: %ls, ui level: %u, disable externaluihandler: %hs, file versioning: %hs, log path: %ls$%ls action[%u]: MSU_PACKAGE package id: %ls, action: %hs, log path: %ls$%ls action[%u]: PACKAGE_DEPENDENCY package id: %ls, bundle provider key: %ls$%ls action[%u]: PACKAGE_PROVIDER package id: %ls$%ls action[%u]: RELATED_BUNDLE package id: %ls, action: %hs, ignore dependencies: %ls$%ls action[%u]: ROLLBACK_BOUNDARY_END$%ls action[%u]: ROLLBACK_BOUNDARY_START id: %ls, vital: %ls$%ls action[%u]: UNCACHE_PACKAGE id: %ls$%ls action[%u]: UNINSTALL_MSI_COMPATIBLE_PACKAGE package id: %ls, compatible package id: %ls, cache id: %ls, log path: %ls, logging attrib: %u$%ls action[%u]: WAIT_CACHE_PACKAGE id: %ls, event handle: 0x%p$(none)$yes
API String ID: 2941638530-2015118038
Opcode ID: d25d9d183520bb07881b7f61e340b70487bdd30e12210778b596ed243b53cf58
Instruction ID: ffaf7432c70ba240c805df4a82162312dc2f0753bff08a48cada54cfa1e6b6db
Opcode Fuzzy Hash: d25d9d183520bb07881b7f61e340b70487bdd30e12210778b596ed243b53cf58
Instruction Fuzzy Hash: 01F1B6B6A09B4AC6DA24CB05E48886DB7E4FB88BD8F285135DA4DD7764CF3CE444C700

Function 00007FF6570FB1C8 Relevance: 45.8, APIs: 8, Strings: 18, Instructions: 264COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570FB25E
SysFreeString.OLEAUT32 ref: 00007FF6570FB576

Strings

length, xrefs: 00007FF6570FB2E3
Failed get attributes for ATOM link., xrefs: 00007FF6570FB20F
Failed to process all ATOM link attributes., xrefs: 00007FF6570FB436
Failed to allocate ATOM link value., xrefs: 00007FF6570FB542
Failed to process all ATOM link elements., xrefs: 00007FF6570FB508
href, xrefs: 00007FF6570FB294
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570FB467, 00007FF6570FB559
rel, xrefs: 00007FF6570FB246
Failed to parse unknown ATOM link attribute: %ls, xrefs: 00007FF6570FB455
Failed to allocate ATOM link type., xrefs: 00007FF6570FB3C4
type, xrefs: 00007FF6570FB38E
Failed to allocate ATOM link title., xrefs: 00007FF6570FB379
Failed to allocate ATOM link href., xrefs: 00007FF6570FB2CE
Failed to parse ATOM link length., xrefs: 00007FF6570FB32E
Failed to parse unknown ATOM link element: %ls, xrefs: 00007FF6570FB524
Failed to allocate ATOM link rel., xrefs: 00007FF6570FB27F
Failed to get child nodes of ATOM link element., xrefs: 00007FF6570FB49A
title, xrefs: 00007FF6570FB343

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$CompareFree
String ID: Failed get attributes for ATOM link.$Failed to allocate ATOM link href.$Failed to allocate ATOM link rel.$Failed to allocate ATOM link title.$Failed to allocate ATOM link type.$Failed to allocate ATOM link value.$Failed to get child nodes of ATOM link element.$Failed to parse ATOM link length.$Failed to parse unknown ATOM link attribute: %ls$Failed to parse unknown ATOM link element: %ls$Failed to process all ATOM link attributes.$Failed to process all ATOM link elements.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$href$length$rel$title$type
API String ID: 3589242889-3014251594
Opcode ID: e9fcde556c8a096618963259ad8e162a2f8d36ce7f3a36a3da1c481a157f7e40
Instruction ID: caf095241dce2597c26959f8155c2eafcc649c7466c2b0d77475e5f10112e5da
Opcode Fuzzy Hash: e9fcde556c8a096618963259ad8e162a2f8d36ce7f3a36a3da1c481a157f7e40
Instruction Fuzzy Hash: EEC185A2B08B5A86EB14DF25D8903B923A4FF44B84F584132D90DE7BA4DF3DE949C744

Function 00007FF6570FBF88 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 243COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FBFDE
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC006
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC032
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC0C6
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC12E
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC16A
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC19F
CompareStringW.KERNEL32(?,?,?,?,?,?,?,00007FF6570FC82B,?,?,00000000,?,?,00000000,00000000,00007FF6570FCA6D), ref: 00007FF6570FC1D8

Strings

sha1, xrefs: 00007FF6570FC14E
sha256, xrefs: 00007FF6570FC183
Failed to copy local name., xrefs: 00007FF6570FC092
http://appsyndication.org/2006/appsyn, xrefs: 00007FF6570FBFC5
digest, xrefs: 00007FF6570FBFED
Failed to decode digest value., xrefs: 00007FF6570FC327
Failed to allocate enclosure URL., xrefs: 00007FF6570FC081
name, xrefs: 00007FF6570FC019
algorithm, xrefs: 00007FF6570FC0AD
sha512, xrefs: 00007FF6570FC1BC
md5, xrefs: 00007FF6570FC112
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 00007FF6570FC0DF, 00007FF6570FC260, 00007FF6570FC282, 00007FF6570FC2B6, 00007FF6570FC2E9
Failed to get string length of digest value., xrefs: 00007FF6570FC245
Invalid digest length (%Iu) for digest algorithm (%u)., xrefs: 00007FF6570FC29F
Failed to allocate memory for digest., xrefs: 00007FF6570FC2FF
Unknown algorithm type for digest., xrefs: 00007FF6570FC0F7

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to allocate enclosure URL.$Failed to allocate memory for digest.$Failed to copy local name.$Failed to decode digest value.$Failed to get string length of digest value.$Invalid digest length (%Iu) for digest algorithm (%u).$Unknown algorithm type for digest.$algorithm$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$name$sha1$sha256$sha512
API String ID: 1825529933-539980605
Opcode ID: 1cc10535ef566eac78a8370956d8aec5142afde95054be7f4792f8207bdd26da
Instruction ID: 6580f0d956c0724981eaaaac0cb7a6b006d0fbbe5ef61a6d89a046b30af1daa8
Opcode Fuzzy Hash: 1cc10535ef566eac78a8370956d8aec5142afde95054be7f4792f8207bdd26da
Instruction Fuzzy Hash: FFB1C7B1B1874A82E7308B11E84066A73E0FB48BA4F5C4536CA4DE7B64DF3CE559C748

Function 00007FF65709FED4 Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 224sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF65709FF70
GetLastError.KERNEL32 ref: 00007FF65709FF80
Sleep.KERNEL32 ref: 00007FF65709FFA7

Strings

\\.\pipe\%ls.Cache, xrefs: 00007FF6570A0026
Failed to allocate name of parent cache pipe., xrefs: 00007FF6570A003C
Failed to verify parent cache pipe: %ls, xrefs: 00007FF6570A00EB
Failed to allocate name of parent pipe., xrefs: 00007FF65709FF0D
Failed to open parent logging pipe: %ls, xrefs: 00007FF6570A0190
\\.\pipe\%ls, xrefs: 00007FF65709FEF4
Failed to open parent pipe: %ls, xrefs: 00007FF65709FFDA
\\.\pipe\%ls.Log, xrefs: 00007FF6570A00FA
d:\a\wix4\wix4\src\burn\engine\pipe.cpp, xrefs: 00007FF65709FF1E, 00007FF65709FFC0, 00007FF6570A0093, 00007FF6570A0167, 00007FF6570A01F5, 00007FF6570A0229
Failed to allocate name of parent logging pipe., xrefs: 00007FF6570A0110
Failed to open companion process with PID: %u, xrefs: 00007FF6570A021B
Failed to verify parent logging pipe: %ls, xrefs: 00007FF6570A01BF
Failed to open parent cache pipe: %ls, xrefs: 00007FF6570A00BC
Failed to verify parent pipe: %ls, xrefs: 00007FF6570A000E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent logging pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent cache pipe: %ls$Failed to open parent logging pipe: %ls$Failed to open parent pipe: %ls$Failed to verify parent cache pipe: %ls$Failed to verify parent logging pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$\\.\pipe\%ls.Log$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
API String ID: 408151869-3514438494
Opcode ID: 73ef25ee2d0b98da257e340f395b44bf36e08219f5c47a25812d1a09cf944659
Instruction ID: 5c61d29e62c8a92012748d0aae38d0b92c14938fb7ff4eedf08249edd23fff05
Opcode Fuzzy Hash: 73ef25ee2d0b98da257e340f395b44bf36e08219f5c47a25812d1a09cf944659
Instruction Fuzzy Hash: 50A196A1B18B4A86FB608F65E9803AA23E4FF58754F080235DA4DE37D5EF3CE5198744

Function 00007FF6570A9494 Relevance: 38.9, APIs: 8, Strings: 14, Instructions: 398synchronizationthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A96AF

Part of subcall function 00007FF6570AA934: CreateThread.KERNEL32 ref: 00007FF6570AAA04

CreateThread.KERNEL32 ref: 00007FF6570A97F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A9808
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A98EC
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A9A47
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A9A51
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A9A63
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6570A9A77

Strings

BA aborted apply begin., xrefs: 00007FF6570A95B0
Failed to wait for cache thread after execute., xrefs: 00007FF6570A993C
Apply cannot be done without a successful Plan., xrefs: 00007FF6570A94FB
Failed to set initial apply variables., xrefs: 00007FF6570A9661
Failed to cache engine to working directory., xrefs: 00007FF6570A96DF
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570A9511, 00007FF6570A959F, 00007FF6570A95D1, 00007FF6570A96F6, 00007FF6570A97A9, 00007FF6570A981E, 00007FF6570A9854, 00007FF6570A98AD, 00007FF6570A9953
Plans cannot be applied multiple times., xrefs: 00007FF6570A953D
Failed to elevate., xrefs: 00007FF6570A9735
Failed to initialize apply in elevated process., xrefs: 00007FF6570A9763
Failed to create cache thread., xrefs: 00007FF6570A9842
Failed while caching, aborting execution., xrefs: 00007FF6570A98D2
Failed to register bundle., xrefs: 00007FF6570A9792
Another per-user setup is already executing., xrefs: 00007FF6570A9621
Failed to wait for cache thread before execute., xrefs: 00007FF6570A9896

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$CreateCriticalSectionThread$DeleteErrorInitializeLastMutexRelease
String ID: Another per-user setup is already executing.$Apply cannot be done without a successful Plan.$BA aborted apply begin.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to initialize apply in elevated process.$Failed to register bundle.$Failed to set initial apply variables.$Failed to wait for cache thread after execute.$Failed to wait for cache thread before execute.$Failed while caching, aborting execution.$Plans cannot be applied multiple times.$d:\a\wix4\wix4\src\burn\engine\core.cpp
API String ID: 628592193-1871941313
Opcode ID: 6d41f309899205dcb8e3d7d2598fd32aaf18c1537388de3000b13968b767cf0a
Instruction ID: ec4b1104796efb5b52fd787d82aba215ec5863a3dcfaf149f256d38175e123c7
Opcode Fuzzy Hash: 6d41f309899205dcb8e3d7d2598fd32aaf18c1537388de3000b13968b767cf0a
Instruction Fuzzy Hash: 281258B2B1864A8AEB20CF65D4447FD23E4FB44788F58013ADA0DE6A98DF3CE549C750

Function 00007FF6570D368C Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 268synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F5BF0: UuidCreate.RPCRT4 ref: 00007FF6570F5C1C

WaitForSingleObject.KERNEL32 ref: 00007FF6570D3956
ReleaseMutex.KERNEL32 ref: 00007FF6570D3981
GetExitCodeProcess.KERNEL32 ref: 00007FF6570D399A
GetLastError.KERNEL32 ref: 00007FF6570D39AA
CloseHandle.KERNEL32 ref: 00007FF6570D3A7F
CloseHandle.KERNEL32 ref: 00007FF6570D3A94

Part of subcall function 00007FF6570AA168: CreateProcessW.KERNELBASE ref: 00007FF6570AA222
Part of subcall function 00007FF6570AA168: GetLastError.KERNEL32 ref: 00007FF6570AA22C

Strings

Failed to append netfx chainer args., xrefs: 00007FF6570D3812
Failed to process netfx chainer message., xrefs: 00007FF6570D393E
NetFxEvent.%ls, xrefs: 00007FF6570D377C
Failed to CreateProcess on path: %ls, xrefs: 00007FF6570D38AE
%ls, xrefs: 00007FF6570D3828
Failed to allocate section name., xrefs: 00007FF6570D376A
Failed to append user args., xrefs: 00007FF6570D3846
d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00007FF6570D370D, 00007FF6570D372C, 00007FF6570D37CC, 00007FF6570D3856, 00007FF6570D38C0, 00007FF6570D39BE, 00007FF6570D3A29
Failed to create netfx chainer., xrefs: 00007FF6570D37BB
Failed to get netfx return code., xrefs: 00007FF6570D39DE
%ls /pipe %ls, xrefs: 00007FF6570D37F7
Failed to wait for netfx chainer process to complete, xrefs: 00007FF6570D3A18
Failed to create netfx chainer guid., xrefs: 00007FF6570D371E
NetFxSection.%ls, xrefs: 00007FF6570D3753
Failed to allocate event name., xrefs: 00007FF6570D3793

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess$CodeExitMutexObjectReleaseSingleUuidWait
String ID: %ls$%ls /pipe %ls$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate section name.$Failed to append netfx chainer args.$Failed to append user args.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
API String ID: 4018796558-3586658835
Opcode ID: 7ff0c7f8915f3bea66e06f8a7c5add47607887ab9124e02ff881f0a671ee7c84
Instruction ID: 58a7d7df00c3e5bb50c372a75faab94032f06c9c78309205cf132de5120ed400
Opcode Fuzzy Hash: 7ff0c7f8915f3bea66e06f8a7c5add47607887ab9124e02ff881f0a671ee7c84
Instruction Fuzzy Hash: 15C1A2B2B08B5AC5EB20CB55E8402AAA7E4FB44B94F480135DE4CE7B54DF3CE549C748

Function 00007FF6570CBFCC Relevance: 31.8, APIs: 2, Strings: 16, Instructions: 336COMMON

Download Yara Rule

Strings

Failed to execute MSU package., xrefs: 00007FF6570CC2DE
Failed to execute dependency action., xrefs: 00007FF6570CC3D3
Failed to execute related bundle., xrefs: 00007FF6570CC1C9
d:\a\wix4\wix4\src\burn\engine\apply.cpp, xrefs: 00007FF6570CC267, 00007FF6570CC430, 00007FF6570CC44B, 00007FF6570CC4C2
Failed to execute commit MSI transaction action., xrefs: 00007FF6570CC37E
Failed to execute MSP package., xrefs: 00007FF6570CC0BB
Failed to execute uninstall MSI compatible package., xrefs: 00007FF6570CC350
Failed to execute MSI package., xrefs: 00007FF6570CC100
Cache thread exited unexpectedly with exit code: %u., xrefs: 00007FF6570CC45C
Failed to get cache thread exit code., xrefs: 00007FF6570CC287
Failed to execute package provider registration action., xrefs: 00007FF6570CC4A7
Failed to wait for cache check-point., xrefs: 00007FF6570CC47B
Failed to execute EXE package., xrefs: 00007FF6570CC143
Invalid execute action., xrefs: 00007FF6570CC48E
Failed to execute begin MSI transaction action., xrefs: 00007FF6570CC3A4
Failed to execute BUNDLE package., xrefs: 00007FF6570CC186

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Cache thread exited unexpectedly with exit code: %u.$Failed to execute BUNDLE package.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute begin MSI transaction action.$Failed to execute commit MSI transaction action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to execute related bundle.$Failed to execute uninstall MSI compatible package.$Failed to get cache thread exit code.$Failed to wait for cache check-point.$Invalid execute action.$d:\a\wix4\wix4\src\burn\engine\apply.cpp
API String ID: 0-3642936599
Opcode ID: 4461807d518ffdfbc06a3433f8ace9fb035db67dc9c8d03447e9c98d3300a2a6
Instruction ID: 1bc94f02d8b3d0cbe225e7615e4d130acf2555c9ec9b1ddd0bede48be5fc5176
Opcode Fuzzy Hash: 4461807d518ffdfbc06a3433f8ace9fb035db67dc9c8d03447e9c98d3300a2a6
Instruction Fuzzy Hash: 77E1E671B08B4686F720CB65E85027AA7E9FB487A5F484136DA4DE7B94EF3CD509C310

Function 00007FF657094280 Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 244registryCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570945B9
RegCloseKey.ADVAPI32 ref: 00007FF6570945D9

Strings

Failed to query registry key value., xrefs: 00007FF6570943F0
Failed to set variable., xrefs: 00007FF657094576
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00007FF6570943D0
Failed to change value type., xrefs: 00007FF657094552
Failed to read registry value., xrefs: 00007FF657094532
Unsupported registry key value type. Type = '%u', xrefs: 00007FF657094453
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00007FF6570945AA
Failed to format value string., xrefs: 00007FF657094317
Registry key not found. Key = '%ls', xrefs: 00007FF657094388
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF657094429, 00007FF657094442, 00007FF657094587
Failed to open registry key., xrefs: 00007FF65709436F
Failed to format key string., xrefs: 00007FF6570942E8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close_cwprintf_s_l
String ID: Failed to change value type.$Failed to format key string.$Failed to format value string.$Failed to open registry key.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 3644356412-3422224897
Opcode ID: b8b518e273067d4a52a1db28b1473d59c9b24b342d70c6522dd798828085579e
Instruction ID: 455bd11b3050e571425c672c896bc7e5e2f604413054a5fd299c2a13cca187ea
Opcode Fuzzy Hash: b8b518e273067d4a52a1db28b1473d59c9b24b342d70c6522dd798828085579e
Instruction Fuzzy Hash: 92B192A1B1861A9AFB608BA1D4507BE23E4FF54788F580136EE0DE7A85DF6CE5498340

Function 00007FF65709D110 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 230registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F34C4: CreateFileW.KERNEL32 ref: 00007FF6570F34FC
Part of subcall function 00007FF6570F34C4: GetLastError.KERNEL32 ref: 00007FF6570F350B

InitializeCriticalSection.KERNEL32 ref: 00007FF65709D1CC
RegCloseKey.ADVAPI32 ref: 00007FF65709D46C

Strings

Failed to build variable registry key path., xrefs: 00007FF65709D22A
Failed to create registration variable key., xrefs: 00007FF65709D25B
Failed to write state to file: %ls, xrefs: 00007FF65709D19B
Failed to enumerate value %u, xrefs: 00007FF65709D33D
Failed to set variable value., xrefs: 00007FF65709D408
Unsupported variable type., xrefs: 00007FF65709D3E0
variables, xrefs: 00007FF65709D20D
Failed to query registration variable count., xrefs: 00007FF65709D2B0
Failed to get variable value., xrefs: 00007FF65709D3F5
Failed to delete registration variable value., xrefs: 00007FF65709D32B
%s\%s, xrefs: 00007FF65709D214
Failed to read variables., xrefs: 00007FF65709D1F5
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709D1A7, 00007FF65709D300, 00007FF65709D414

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateCriticalErrorFileInitializeLastSection
String ID: %s\%s$Failed to build variable registry key path.$Failed to create registration variable key.$Failed to delete registration variable value.$Failed to enumerate value %u$Failed to get variable value.$Failed to query registration variable count.$Failed to read variables.$Failed to set variable value.$Failed to write state to file: %ls$Unsupported variable type.$d:\a\wix4\wix4\src\burn\engine\registration.cpp$variables
API String ID: 620435854-3789814747
Opcode ID: a3f09dae533cd9d29f617a33f20cc57e93924de36a08e70a247403612866ff15
Instruction ID: 5f00a14cfce4d288d58160118cbc51a091e2ddf9a798cdfd153847f749565b87
Opcode Fuzzy Hash: a3f09dae533cd9d29f617a33f20cc57e93924de36a08e70a247403612866ff15
Instruction Fuzzy Hash: 17A17FA2B48A5A87FB11DBA1D4902BD33E5BB94784F480135DE4DE3A98DF7CE51AC340

Function 00007FF6570B2F94 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 189COMMON

Download Yara Rule

Strings

Failed to launch elevated child process: %ls, xrefs: 00007FF6570B314B
Failed to allocate parameters for elevated process., xrefs: 00007FF6570B3090
Failed to connect to elevated child process., xrefs: 00007FF6570B3249
burn.log.mode, xrefs: 00007FF6570B30D2
Failed to set log mode in elevated process command-line., xrefs: 00007FF6570B30EF
Failed to elevate., xrefs: 00007FF6570B323B
Failed to create pipe and cache pipe., xrefs: 00007FF6570B3038
-%ls=%ls, xrefs: 00007FF6570B30D9
Failed to create pipe name and client token., xrefs: 00007FF6570B3012
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570B2FD0, 00007FF6570B30A1, 00007FF6570B313A, 00007FF6570B3265
runas, xrefs: 00007FF6570B310C
BA aborted elevation requirement., xrefs: 00007FF6570B2FE3
burn.elevated, xrefs: 00007FF6570B305C
-q -%ls %ls %ls %u, xrefs: 00007FF6570B3068

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: -%ls=%ls$-q -%ls %ls %ls %u$BA aborted elevation requirement.$Failed to allocate parameters for elevated process.$Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$Failed to launch elevated child process: %ls$Failed to set log mode in elevated process command-line.$burn.elevated$burn.log.mode$d:\a\wix4\wix4\src\burn\engine\elevation.cpp$runas
API String ID: 0-4178128
Opcode ID: 0c2b65aecca9f91dcb69a14776ff531d92c03d493146b9d9c712afd5f75e9ee3
Instruction ID: 5d892a8715bf8d2561a10058a109cfb6f14f26cd6be7a517d579dc71ceb164b1
Opcode Fuzzy Hash: 0c2b65aecca9f91dcb69a14776ff531d92c03d493146b9d9c712afd5f75e9ee3
Instruction Fuzzy Hash: 1981B161B1874B86FB60CB61E4907BE63A0FB94344F680135EA4DEB795DF3DE6498300

Function 00007FF6570A0E64 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 180pipesleepstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6570A0EB2
GetCurrentProcessId.KERNEL32 ref: 00007FF6570A0EBD
SetNamedPipeHandleState.KERNEL32 ref: 00007FF6570A0EF2
ConnectNamedPipe.KERNEL32 ref: 00007FF6570A0F07
GetLastError.KERNEL32 ref: 00007FF6570A0F11
Sleep.KERNEL32 ref: 00007FF6570A0F3D
SetNamedPipeHandleState.KERNEL32 ref: 00007FF6570A0F74
GetLastError.KERNEL32 ref: 00007FF6570A109C

Strings

Failed to write our process id to pipe., xrefs: 00007FF6570A102F
Failed to set pipe to non-blocking., xrefs: 00007FF6570A10D0
Failed to write secret to pipe., xrefs: 00007FF6570A1040
d:\a\wix4\wix4\src\burn\engine\pipe.cpp, xrefs: 00007FF6570A1001, 00007FF6570A1073, 00007FF6570A10B0, 00007FF6570A10DE
Failed to reset pipe to blocking., xrefs: 00007FF6570A1093
Failed to read ACK from pipe., xrefs: 00007FF6570A101E
Failed to wait for child to connect to pipe., xrefs: 00007FF6570A1012
Failed to write secret length to pipe., xrefs: 00007FF6570A1051

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: NamedPipe$ErrorHandleLastState$ConnectCurrentProcessSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$d:\a\wix4\wix4\src\burn\engine\pipe.cpp
API String ID: 2345975998-2019809298
Opcode ID: 3a763a79620a63c6faa91cadb862fbd9fb187e586ce759d2072a8ebfaf11646d
Instruction ID: b5080b6b79bee57ba44fde0a604d1e660fb1eb3da94baef1c48f68f093c29ff9
Opcode Fuzzy Hash: 3a763a79620a63c6faa91cadb862fbd9fb187e586ce759d2072a8ebfaf11646d
Instruction Fuzzy Hash: 8271E2A1F2874A86F710CB6AD9806B933E5BB48B94F984135CE0DE7794DF7CE5098704

Function 00007FF65709C008 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 171registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF65709C28A

Strings

PublishingGroup, xrefs: 00007FF65709C168
Failed to get the formatted key path for update registration., xrefs: 00007FF65709C03C
Date, xrefs: 00007FF65709C1EE
Failed to create the key for update registration., xrefs: 00007FF65709C08E
InstalledDate, xrefs: 00007FF65709C1E4
Failed to write %ls value., xrefs: 00007FF65709C259
InstalledBy, xrefs: 00007FF65709C1BA
PackageVersion, xrefs: 00007FF65709C101
Publisher, xrefs: 00007FF65709C130
LogonUser, xrefs: 00007FF65709C1C4
PackageName, xrefs: 00007FF65709C0D2
ThisVersionInstalled, xrefs: 00007FF65709C0A0
InstallerName, xrefs: 00007FF65709C20E
InstallerVersion, xrefs: 00007FF65709C234
ReleaseType, xrefs: 00007FF65709C193
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709C04D, 00007FF65709C26B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled$d:\a\wix4\wix4\src\burn\engine\registration.cpp
API String ID: 3535843008-2070796179
Opcode ID: d6e3de1f228bdbb393b358b280229b28ec2c360ad071cbacafba62d66b55823a
Instruction ID: 1af5584e985443bd1446995e27438589bfc229b4e64ccb7397b8178cd5784a3f
Opcode Fuzzy Hash: d6e3de1f228bdbb393b358b280229b28ec2c360ad071cbacafba62d66b55823a
Instruction Fuzzy Hash: 5F715FA5B08B4B82EB519B61D840BAA2394FB957D4F480032EE0DEB795DF3CE159C740

Function 00007FF65709B1F8 Relevance: 28.2, APIs: 2, Strings: 14, Instructions: 214COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF65709B430

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

SysFreeString.OLEAUT32 ref: 00007FF65709B3E9

Strings

Regid, xrefs: 00007FF65709B354
Failed to get @Path., xrefs: 00007FF65709B4D3
Failed to select software tag nodes., xrefs: 00007FF65709B241
Failed to allocate memory for software tag structs., xrefs: 00007FF65709B2DA
SoftwareTag, xrefs: 00007FF65709B22B
Failed to get SoftwareTag text., xrefs: 00007FF65709B4B1
Failed to get @Filename., xrefs: 00007FF65709B517
Failed to convert SoftwareTag text to UTF-8, xrefs: 00007FF65709B48A
Path, xrefs: 00007FF65709B37D
Filename, xrefs: 00007FF65709B328
Failed to get software tag count., xrefs: 00007FF65709B28E
Failed to get next node., xrefs: 00007FF65709B539
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709B252, 00007FF65709B2C4, 00007FF65709B4A0, 00007FF65709B4C2, 00007FF65709B4E4, 00007FF65709B506, 00007FF65709B528
Failed to get @Regid., xrefs: 00007FF65709B4F5

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString$HeapProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$d:\a\wix4\wix4\src\burn\engine\registration.cpp
API String ID: 3485037438-1873729996
Opcode ID: c1f9bf87daf3b37bf44e61fe1a1b80752a6da04c16ed14f9d5411350a3a3eb2d
Instruction ID: f15ae6c73969f439d70e39ea98ad820967dc8f6337cb9d9bd31c70d907e64c65
Opcode Fuzzy Hash: c1f9bf87daf3b37bf44e61fe1a1b80752a6da04c16ed14f9d5411350a3a3eb2d
Instruction Fuzzy Hash: 1B9169A1B18A1B86FB109FA5D8902BD23E0FB54B94F584035DE0DEB7A5DF6DE809C344

Function 00007FF6570F9FF4 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 189COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570FA081
SysFreeString.OLEAUT32 ref: 00007FF6570FA26B

Strings

Failed to process all ATOM content attributes., xrefs: 00007FF6570FA137
Failed to allocate ATOM content value., xrefs: 00007FF6570FA237
Failed get attributes on ATOM unknown element., xrefs: 00007FF6570FA036
Failed to allocate ATOM content scheme., xrefs: 00007FF6570FA148
Failed to allocate ATOM content type., xrefs: 00007FF6570FA09E
url, xrefs: 00007FF6570FA0B3
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570FA1F3, 00007FF6570FA24E
Failed to get child nodes of ATOM content element., xrefs: 00007FF6570FA173
Failed to process all ATOM content elements., xrefs: 00007FF6570FA1E1
type, xrefs: 00007FF6570FA069
Failed to parse unknown ATOM content element: %ls, xrefs: 00007FF6570FA205

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$CompareFree
String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM content scheme.$Failed to allocate ATOM content type.$Failed to allocate ATOM content value.$Failed to get child nodes of ATOM content element.$Failed to parse unknown ATOM content element: %ls$Failed to process all ATOM content attributes.$Failed to process all ATOM content elements.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp$type$url
API String ID: 3589242889-2167937548
Opcode ID: fab25e9a6cff75072a678a819a611e1ac356dc358d490ea37cb5b073c4456d6f
Instruction ID: 8003035c9ff04ebe35639e63356f01052792f995b7419c2a903510aaf240d656
Opcode Fuzzy Hash: fab25e9a6cff75072a678a819a611e1ac356dc358d490ea37cb5b073c4456d6f
Instruction Fuzzy Hash: B8915FA2B08A5A86EB54DF65D8803B923A0FF45B88F584132DA0DE7764DF3DE549C348

Function 00007FF6570886C8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 177synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF65709EB98: RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,00000001,?,00007FF657088ED8), ref: 00007FF65709EC98

ReleaseMutex.KERNEL32 ref: 00007FF6570889A3
CloseHandle.KERNEL32 ref: 00007FF6570889B1

Strings

Failed to create log event for logging thread., xrefs: 00007FF6570887A7
Failed to pump messages from parent process., xrefs: 00007FF657088969
d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF657088787, 00007FF6570887E4, 00007FF657088854, 00007FF65708897A
Failed to open elevated log., xrefs: 00007FF65708871F
Failed to connect to unelevated process., xrefs: 00007FF657088747
Failed to create elevated logging thread., xrefs: 00007FF657088874
Failed to create the message window., xrefs: 00007FF6570888B8
Failed to create finished event for logging thread., xrefs: 00007FF657088804

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$HandleMutexRelease
String ID: Failed to connect to unelevated process.$Failed to create elevated logging thread.$Failed to create finished event for logging thread.$Failed to create log event for logging thread.$Failed to create the message window.$Failed to open elevated log.$Failed to pump messages from parent process.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
API String ID: 2585119886-4116955637
Opcode ID: 8336da03d7541b861453cf79fca67742efaf1534c52a47f5ae18a7860ec38f6e
Instruction ID: 7f7721348fd25d4432e50529bccd97f62daf377f26d27265bd80fe9a23bb6685
Opcode Fuzzy Hash: 8336da03d7541b861453cf79fca67742efaf1534c52a47f5ae18a7860ec38f6e
Instruction Fuzzy Hash: 03818D62B18B8A86EB21DF61E8807E933E4FB44354F980135DA4DE7A94DF3CE659C300

Function 00007FF6570B5910 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FF6570B5990
GetLastError.KERNEL32 ref: 00007FF6570B599B
CreateWindowExW.USER32 ref: 00007FF6570B5A43
GetLastError.KERNEL32 ref: 00007FF6570B5A51
UnregisterClassW.USER32 ref: 00007FF6570B5B37

Strings

WixBurnMessageWindow, xrefs: 00007FF6570B5969
Failed to create window., xrefs: 00007FF6570B5A87
Failed to register window., xrefs: 00007FF6570B59D1
d:\a\wix4\wix4\src\burn\engine\uithread.cpp, xrefs: 00007FF6570B59C5, 00007FF6570B59ED, 00007FF6570B5A7B, 00007FF6570B5B1E
Unexpected return value from message pump., xrefs: 00007FF6570B5B01

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$d:\a\wix4\wix4\src\burn\engine\uithread.cpp
API String ID: 3976189915-2033051560
Opcode ID: 3d8165fdef7c1778e5dd7f12cd9bd14def3e345cbed08d886275d1ab36f8656e
Instruction ID: 10e011b9b633c3fa5390ed2a8e3b528c83121ee5876b43a745a60da5882773c6
Opcode Fuzzy Hash: 3d8165fdef7c1778e5dd7f12cd9bd14def3e345cbed08d886275d1ab36f8656e
Instruction Fuzzy Hash: A6618172B18B469AE720CF66E4806AD73E4FB48B44F58403ADA4DE3B54DF38E519C744

Function 00007FF6570B5240 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 123registrywindowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF6570B52AC
RegisterClassW.USER32 ref: 00007FF6570B52C5
GetLastError.KERNEL32 ref: 00007FF6570B52D0
UnregisterClassW.USER32 ref: 00007FF6570B53E1
DeleteObject.GDI32 ref: 00007FF6570B53F0
PostMessageW.USER32 ref: 00007FF6570B5409

Strings

Failed to load splash screen., xrefs: 00007FF6570B5343
WixBurnSplashScreen, xrefs: 00007FF6570B52B2
Failed to register window., xrefs: 00007FF6570B5304
Unexpected return value from message pump., xrefs: 00007FF6570B53AD
d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp, xrefs: 00007FF6570B52E4, 00007FF6570B5320, 00007FF6570B53BE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Class$CursorDeleteErrorLastLoadMessageObjectPostRegisterUnregister
String ID: Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
API String ID: 4012016417-1790364600
Opcode ID: 0c6715a91b6f91f9a68a0033e1bf64849a15980fbc5315597352a7e4e888c664
Instruction ID: d5ff47df3de7798f7e37beaf4a9189ea8d44db110f1400b9f8a6636c3ac0d7e8
Opcode Fuzzy Hash: 0c6715a91b6f91f9a68a0033e1bf64849a15980fbc5315597352a7e4e888c664
Instruction Fuzzy Hash: 2F518DB6B18B46D6EB10CB62E4906AD33E0FB98B48F484135DA0DE7B54DF38E619C344

Function 00007FF65708543C Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 134COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085462
GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085474
GetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF65708547E
GetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF6570854C7

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF657085492, 00007FF657085597, 00007FF6570855D7, 00007FF65708560F
Failed to allocate space for module path., xrefs: 00007FF657085576
Failed to get size of path for executing process., xrefs: 00007FF6570854B2
Failed to re-allocate more space for module path., xrefs: 00007FF657085584
Failed to get path for executing process., xrefs: 00007FF6570855F7
Failed to get max length of input buffer., xrefs: 00007FF6570854E9
Unexpected failure getting path for executing process., xrefs: 00007FF6570855AF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$FileModuleName
String ID: Failed to allocate space for module path.$Failed to get max length of input buffer.$Failed to get path for executing process.$Failed to get size of path for executing process.$Failed to re-allocate more space for module path.$Unexpected failure getting path for executing process.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
API String ID: 1026760046-3511924
Opcode ID: 902fc170f0bdd2ca30d4937ac6355a66afac27a7e292a50727cae38aed815fb4
Instruction ID: 9aac615cdeaae2c991152e0515a23721bcaa18aea3e23fc4dc588270f6996046
Opcode Fuzzy Hash: 902fc170f0bdd2ca30d4937ac6355a66afac27a7e292a50727cae38aed815fb4
Instruction Fuzzy Hash: 3251E5A1B18B4B83FB108F76E49013963D6AF84790F5C0136DA0DE77A1EE7CE9598714

Function 00007FF6570C3F74 Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 253COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF6570C42EC
CloseHandle.KERNEL32 ref: 00007FF6570C42FA

Part of subcall function 00007FF6570BD7E4: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,-uninstall), ref: 00007FF6570BDAFB
Part of subcall function 00007FF6570BD7E4: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,-uninstall), ref: 00007FF6570BDB0F

Strings

Failed to run MSU process, xrefs: 00007FF6570C424B
Failed to get cached path for package: %ls, xrefs: 00007FF6570C4091
WixBundleExecutePackageCacheFolder, xrefs: 00007FF6570C40B9, 00007FF6570C4322
/log:, xrefs: 00007FF6570C4161
Failed to build MSU path., xrefs: 00007FF6570C40F1
Failed to append log path to MSU command-line., xrefs: 00007FF6570C419E
Failed to get action arguments for MSU package., xrefs: 00007FF6570C4054
wusa.exe, xrefs: 00007FF6570C4029
Failed to ensure WU service was enabled to install MSU package., xrefs: 00007FF6570C4204
Failed to find System32 directory., xrefs: 00007FF6570C3FE8
d:\a\wix4\wix4\src\burn\engine\msuengine.cpp, xrefs: 00007FF6570C3FF9, 00007FF6570C4080, 00007FF6570C4102
"%ls" "%ls" /quiet /norestart, xrefs: 00007FF6570C4127
Failed to format MSU install command., xrefs: 00007FF6570C4141
Failed to append log switch to MSU command-line., xrefs: 00007FF6570C4177
Failed to allocate WUSA.exe path., xrefs: 00007FF6570C403B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle
String ID: /log:$"%ls" "%ls" /quiet /norestart$Failed to allocate WUSA.exe path.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to format MSU install command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to run MSU process$WixBundleExecutePackageCacheFolder$d:\a\wix4\wix4\src\burn\engine\msuengine.cpp$wusa.exe
API String ID: 2962429428-537596307
Opcode ID: 263fb4fe716705590c4251f4337118449c9d9bd845fbae92e64d6e57b3d6eb85
Instruction ID: 17a95dd7675e574531a364b62df0cad4fed583302bf2823985b4f2e86b48c2eb
Opcode Fuzzy Hash: 263fb4fe716705590c4251f4337118449c9d9bd845fbae92e64d6e57b3d6eb85
Instruction Fuzzy Hash: 21B19371B08A4A86FB60CFA5E4402BD67A4FB58788F584135EE4DE7B95DF3CE5098310

Function 00007FF6570B03B8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 196COMMON

Download Yara Rule

Strings

Failed to open the registry key for the approved exe path., xrefs: 00007FF6570B055E
The executable path is not in a secure location: %ls, xrefs: 00007FF6570B05D3
Failed to read the value for the approved exe path., xrefs: 00007FF6570B058A
Failed to launch approved exe: %ls, xrefs: 00007FF6570B0610
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process., xrefs: 00007FF6570B0671
The per-user process requested unknown approved exe with id: %ls, xrefs: 00007FF6570B04B6
Failed to verify the executable path is in a secure location: %ls, xrefs: 00007FF6570B05BE
Failed to read approved exe arguments., xrefs: 00007FF6570B0455
Failed to write the approved exe process id to message buffer., xrefs: 00007FF6570B0633
Failed to read approved exe WaitForInputIdle timeout., xrefs: 00007FF6570B0481
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570B04C2, 00007FF6570B0682
Failed to read approved exe id., xrefs: 00007FF6570B0429
yes, xrefs: 00007FF6570B04E7

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Failed to launch approved exe: %ls$Failed to open the registry key for the approved exe path.$Failed to read approved exe WaitForInputIdle timeout.$Failed to read approved exe arguments.$Failed to read approved exe id.$Failed to read the value for the approved exe path.$Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.$Failed to verify the executable path is in a secure location: %ls$Failed to write the approved exe process id to message buffer.$The executable path is not in a secure location: %ls$The per-user process requested unknown approved exe with id: %ls$d:\a\wix4\wix4\src\burn\engine\elevation.cpp$yes
API String ID: 0-3760680463
Opcode ID: 49abda448f05a181899f0d7d814cb81a599256138b5669f4f0a482871add6d11
Instruction ID: 3e215e8d29269a3befef733ffd9d43de5063f455b64b71f637a43b713fb877d8
Opcode Fuzzy Hash: 49abda448f05a181899f0d7d814cb81a599256138b5669f4f0a482871add6d11
Instruction Fuzzy Hash: CA9133B2B19A4B95EB10DF61D4802EE23A0FB58788F584536DE4DE7B59DF38E609C340

Function 00007FF6570FB7AC Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

SysFreeString.OLEAUT32 ref: 00007FF6570FB9F6
SysFreeString.OLEAUT32 ref: 00007FF6570FBA05
SysFreeString.OLEAUT32 ref: 00007FF6570FBA14

Strings

Failed to allocate ATOM unknown element value., xrefs: 00007FF6570FB91F
Failed to allocate unknown element., xrefs: 00007FF6570FB80B
Failed to get unknown element value., xrefs: 00007FF6570FB8F8
Failed get attributes on ATOM unknown element., xrefs: 00007FF6570FB94D
Failed to parse attribute on ATOM unknown element., xrefs: 00007FF6570FB9C2
Failed to allocate ATOM unknown element name., xrefs: 00007FF6570FB8D5
Failed to get unknown element namespace., xrefs: 00007FF6570FB883
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570FB7F5, 00007FF6570FB81F
Failed to allocate ATOM unknown element namespace., xrefs: 00007FF6570FB86A
Failed to enumerate all attributes on ATOM unknown element., xrefs: 00007FF6570FB9B1
Failed to get unknown element name., xrefs: 00007FF6570FB8AE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString$HeapProcess
String ID: Failed get attributes on ATOM unknown element.$Failed to allocate ATOM unknown element name.$Failed to allocate ATOM unknown element namespace.$Failed to allocate ATOM unknown element value.$Failed to allocate unknown element.$Failed to enumerate all attributes on ATOM unknown element.$Failed to get unknown element name.$Failed to get unknown element namespace.$Failed to get unknown element value.$Failed to parse attribute on ATOM unknown element.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
API String ID: 3485037438-2936770743
Opcode ID: 6306ccebe81bc0d71d4af1f65837bd19856a7b2922944d46dcbbf584579718b1
Instruction ID: f11d76ad622ac24f36c53b683789b9b51e38b3a4b8cd646a81aa55128e65562a
Opcode Fuzzy Hash: 6306ccebe81bc0d71d4af1f65837bd19856a7b2922944d46dcbbf584579718b1
Instruction Fuzzy Hash: 0D812EA5B09B5A86FF11DB25D89027923E4EF84B84F584436CE4DE37A4DF2DE50AC708

Function 00007FF657088444 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 169COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 00007FF657088480
CreateSemaphoreW.KERNEL32 ref: 00007FF657088493
GetLastError.KERNEL32 ref: 00007FF6570884A2

Part of subcall function 00007FF657095E50: LoadLibraryExW.KERNEL32 ref: 00007FF657095EC1
Part of subcall function 00007FF657095E50: GetLastError.KERNEL32 ref: 00007FF657095ED0

Part of subcall function 00007FF6570818F4: WaitForSingleObject.KERNEL32 ref: 00007FF6570818FC

EnterCriticalSection.KERNEL32 ref: 00007FF65708857F
LeaveCriticalSection.KERNEL32 ref: 00007FF657088598

Part of subcall function 00007FF657086A48: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A51
Part of subcall function 00007FF657086A48: RtlFreeHeap.NTDLL(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A5F
Part of subcall function 00007FF657086A48: GetLastError.KERNEL32(?,?,00000000,00007FF657086EA4), ref: 00007FF657086A6B

DeleteCriticalSection.KERNEL32 ref: 00007FF65708867D
CloseHandle.KERNEL32 ref: 00007FF65708868C

Strings

Failed to create semaphore for queue., xrefs: 00007FF6570884D6
Failed to dequeue action., xrefs: 00007FF6570885C9
Failed to wait on queue event., xrefs: 00007FF6570885D7
Failed to start bootstrapper application., xrefs: 00007FF65708855B
Failed to create queue for bootstrapper engine., xrefs: 00007FF657088514
d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF6570884B6, 00007FF6570884E4, 00007FF6570885E8
Failed to load BA., xrefs: 00007FF65708853F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$ErrorLast$Heap$CloseCreateDeleteEnterFreeHandleInitializeLeaveLibraryLoadObjectProcessSemaphoreSingleWait
String ID: Failed to create queue for bootstrapper engine.$Failed to create semaphore for queue.$Failed to dequeue action.$Failed to load BA.$Failed to start bootstrapper application.$Failed to wait on queue event.$d:\a\wix4\wix4\src\burn\engine\engine.cpp
API String ID: 2225474240-197728619
Opcode ID: 187f2d647a2aa6bdef5957d3c5cb0c06ae32490c230674121bba88506eead7d0
Instruction ID: 6f53c9dccf19e274bb2090ca62ae30055854844fd416b06bf81dc177ff0ec91e
Opcode Fuzzy Hash: 187f2d647a2aa6bdef5957d3c5cb0c06ae32490c230674121bba88506eead7d0
Instruction Fuzzy Hash: 6E71A1A2B2865A8AFB10DB61D8806FD23E0AF44754F984135EE0DE76D5EF3CE55AC300

Function 00007FF65709404C Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 150registryCOMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF65709424D
RegCloseKey.ADVAPI32 ref: 00007FF65709426D

Strings

Failed to query registry key value., xrefs: 00007FF6570941C5
Failed to open registry key. Key = '%ls', xrefs: 00007FF6570940F8
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00007FF65709423E
Failed to set variable., xrefs: 00007FF65709420A
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00007FF6570941D4
Registry key not found. Key = '%ls', xrefs: 00007FF657094126
Failed to format value string., xrefs: 00007FF65709415C
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF6570940E7, 00007FF65709419A, 00007FF65709421B
Failed to format key string., xrefs: 00007FF65709408C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close_cwprintf_s_l
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 3644356412-2242727714
Opcode ID: 29ad6b5602f5371610da6b0835629b60f86eda80cb6b86facaa4e8813f31b358
Instruction ID: 3e436c6d12ed1ed405f5cd7aedbe11b3ee16f68bd9703b59629caaea10d3b13a
Opcode Fuzzy Hash: 29ad6b5602f5371610da6b0835629b60f86eda80cb6b86facaa4e8813f31b358
Instruction Fuzzy Hash: 8E51C6A2B1861A87FB618F65D4407BA23A0FF54798F580135EE0DE7B95DF3DE5198300

Function 00007FF6570B5430 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6570B5453
DefWindowProcW.USER32 ref: 00007FF6570B54DF
PostMessageW.USER32 ref: 00007FF6570B54FB

Part of subcall function 00007FF6570B51C4: SetWindowPos.USER32 ref: 00007FF6570B521C

DefWindowProcW.USER32 ref: 00007FF6570B5516
SetWindowLongPtrW.USER32 ref: 00007FF6570B5529
PostQuitMessage.USER32 ref: 00007FF6570B5531
SetWindowLongPtrW.USER32 ref: 00007FF6570B5555
DefWindowProcW.USER32 ref: 00007FF6570B5597
CreateCompatibleDC.GDI32 ref: 00007FF6570B55A2
SelectObject.GDI32 ref: 00007FF6570B55B1
StretchBlt.GDI32 ref: 00007FF6570B55F2
SelectObject.GDI32 ref: 00007FF6570B55FE
DeleteDC.GDI32 ref: 00007FF6570B5607

Strings

, xrefs: 00007FF6570B55C3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Window$LongProc$MessageObjectPostSelect$CompatibleCreateDeleteQuitStretch
String ID:
API String ID: 79061458-3916222277
Opcode ID: 832407ac416ec40dc60261662f06be782c85584cd33cb5f4ecd676e32aa50239
Instruction ID: c789a5670fcb7ebbc15416ebf5bbe0d1651aab6fb4fdd3ce42bb8a458bfc4849
Opcode Fuzzy Hash: 832407ac416ec40dc60261662f06be782c85584cd33cb5f4ecd676e32aa50239
Instruction Fuzzy Hash: A05190B261868986E724CB23E45477DB2E1FB89BD1F184030DA4EE7B94CE3CF6498704

Function 00007FF6570A4848 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 332COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF65708C6C4: EnterCriticalSection.KERNEL32 ref: 00007FF65708C6E6
Part of subcall function 00007FF65708C6C4: LeaveCriticalSection.KERNEL32 ref: 00007FF65708C775

CompareStringW.KERNEL32 ref: 00007FF6570A48FC
CompareStringW.KERNEL32 ref: 00007FF6570A4927

Strings

Failed to combine last source with source., xrefs: 00007FF6570A4AD2
Failed to ensure size for search paths array., xrefs: 00007FF6570A4966, 00007FF6570A49C7, 00007FF6570A4A30, 00007FF6570A4AA5, 00007FF6570A4B1C, 00007FF6570A4B7F, 00007FF6570A4BF2, 00007FF6570A4C68
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A4CA2
Failed to copy absolute source path., xrefs: 00007FF6570A4990, 00007FF6570A49F9
WixBundleOriginalSourceFolder, xrefs: 00007FF6570A48A9
Failed to combine layout source with source., xrefs: 00007FF6570A4B49
Failed to combine last source with relative., xrefs: 00007FF6570A4C1F
WixBundleLastUsedSource, xrefs: 00007FF6570A4886
Failed to combine source process folder with source., xrefs: 00007FF6570A4A5B
Failed to combine layout source with relative., xrefs: 00007FF6570A4C91
Failed to combine source process folder with relative., xrefs: 00007FF6570A4BAA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareCriticalSectionString$EnterLeave
String ID: Failed to combine last source with relative.$Failed to combine last source with source.$Failed to combine layout source with relative.$Failed to combine layout source with source.$Failed to combine source process folder with relative.$Failed to combine source process folder with source.$Failed to copy absolute source path.$Failed to ensure size for search paths array.$WixBundleLastUsedSource$WixBundleOriginalSourceFolder$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 1408779843-2177830281
Opcode ID: 50afd28073c7d12655ca60b0b79f20bc5bc21bb199d6a4a9641eec6aef61f1ee
Instruction ID: 0216462a47f74090c2f14ddff5e5a7565540275753110af76b40c2c2182bf947
Opcode Fuzzy Hash: 50afd28073c7d12655ca60b0b79f20bc5bc21bb199d6a4a9641eec6aef61f1ee
Instruction Fuzzy Hash: 11E15DB6B08A5A86EB508F59D4407B927E5EB88B88F084131EE0DE3B95DF3DE549C740

Function 00007FF6570CF550 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 289COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF6570CF701
GetLastError.KERNEL32 ref: 00007FF6570CF70F

Strings

layout bundle, xrefs: 00007FF6570CF866, 00007FF6570CF90E
Cancel during cache: %ls, xrefs: 00007FF6570CF7FD
layout container, xrefs: 00007FF6570CF6DF
Failed to ensure acquisition folder., xrefs: 00007FF6570CF5FC
d:\a\wix4\wix4\src\burn\engine\apply.cpp, xrefs: 00007FF6570CF5AD, 00007FF6570CF5CC, 00007FF6570CF657, 00007FF6570CF723, 00007FF6570CF7EE, 00007FF6570CF8C3, 00007FF6570CF92B
cache package, xrefs: 00007FF6570CF7D4, 00007FF6570CF900
Failed cache action: %ls, xrefs: 00007FF6570CF91F
Failed to set syncpoint event., xrefs: 00007FF6570CF743
Failed to allocate cache search paths array., xrefs: 00007FF6570CF66D
BA aborted cache., xrefs: 00007FF6570CF5BE
Cache prepare package failed: %ls, xrefs: 00007FF6570CF8E9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorEventLast
String ID: BA aborted cache.$Cache prepare package failed: %ls$Cancel during cache: %ls$Failed cache action: %ls$Failed to allocate cache search paths array.$Failed to ensure acquisition folder.$Failed to set syncpoint event.$cache package$d:\a\wix4\wix4\src\burn\engine\apply.cpp$layout bundle$layout container
API String ID: 3848097054-2210361204
Opcode ID: 48bd5f94b7416d4acb779ffc6af4d9cb540e77bbbecd48b5c8b0ed52cc3f5611
Instruction ID: d1be36e6b5e2a3940179aaa4f1864bad08924b899a88fed734c7ba363c1d931e
Opcode Fuzzy Hash: 48bd5f94b7416d4acb779ffc6af4d9cb540e77bbbecd48b5c8b0ed52cc3f5611
Instruction Fuzzy Hash: 2AD1CFB2B18B4A96EB20DF65D4403B963E8FB48794F484235EA4DE7B94DF3CE5198340

Function 00007FF6570D25D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 213COMMON

Download Yara Rule

Strings

Failed to copy key for pseudo bundle payload., xrefs: 00007FF6570D26C2
d:\a\wix4\wix4\src\burn\engine\pseudobundle.cpp, xrefs: 00007FF6570D261B, 00007FF6570D2669, 00007FF6570D27BA, 00007FF6570D27F2, 00007FF6570D28FE
Failed to copy install arguments for update bundle package, xrefs: 00007FF6570D28E3
Failed to allocate space for burn payload inside of update bundle struct, xrefs: 00007FF6570D2681
Failed to copy download source for pseudo bundle., xrefs: 00007FF6570D2749
Failed to copy local source path for pseudo bundle., xrefs: 00007FF6570D2713
Failed to decode hash string: %ls., xrefs: 00007FF6570D27A8
Failed to allocate space for burn payload group inside of update bundle struct, xrefs: 00007FF6570D2633
Failed to allocate memory for update bundle payload hash., xrefs: 00007FF6570D280A
Failed to copy cache id for update bundle., xrefs: 00007FF6570D28B8
Failed to copy filename for pseudo bundle., xrefs: 00007FF6570D26E8
Failed to copy id for update bundle., xrefs: 00007FF6570D2895

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: HeapProcess
String ID: Failed to allocate memory for update bundle payload hash.$Failed to allocate space for burn payload group inside of update bundle struct$Failed to allocate space for burn payload inside of update bundle struct$Failed to copy cache id for update bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy id for update bundle.$Failed to copy install arguments for update bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy local source path for pseudo bundle.$Failed to decode hash string: %ls.$d:\a\wix4\wix4\src\burn\engine\pseudobundle.cpp
API String ID: 54951025-2400517205
Opcode ID: f4c70797388e1c26654dd289a022ddbdc26eba78fa03ac0cd7b0b59a47838884
Instruction ID: db958abbf8564e85584ec1c71f935677a9268427b2c8dd499a857301d24f3201
Opcode Fuzzy Hash: f4c70797388e1c26654dd289a022ddbdc26eba78fa03ac0cd7b0b59a47838884
Instruction Fuzzy Hash: 8A91C1A6B18B5A96EB20DB25D4407AA63E4FF94780F8C4035DA4CE7B85EF3DE419C704

Function 00007FF6570B5628 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F6D00: FindResourceExA.KERNEL32(?,?,?,00000000,?,00007FF6570B567B), ref: 00007FF6570F6D2C
Part of subcall function 00007FF6570F6D00: GetLastError.KERNEL32(?,?,?,00000000,?,00007FF6570B567B), ref: 00007FF6570F6D3A

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6570895BE), ref: 00007FF6570B5837
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6570895BE), ref: 00007FF6570B584B

Strings

Failed to create modal event., xrefs: 00007FF6570B5792
Invalid splash screen type: %i, xrefs: 00007FF6570B571E
Failed to read splash screen configuration resource., xrefs: 00007FF6570B5686
Failed to load splash screen configuration., xrefs: 00007FF6570B56AC
Failed to create UI thread., xrefs: 00007FF6570B5810
d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp, xrefs: 00007FF6570B5692, 00007FF6570B56BD, 00007FF6570B56F6, 00007FF6570B5729, 00007FF6570B5772, 00007FF6570B57F0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$ErrorFindLastResource
String ID: Failed to create UI thread.$Failed to create modal event.$Failed to load splash screen configuration.$Failed to read splash screen configuration resource.$Invalid splash screen type: %i$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
API String ID: 3960716503-2387003162
Opcode ID: eef3b4784ad176635c7450cb56cde701eb778f9798600e25abe709cbcf020ecf
Instruction ID: 6c1d4c284156155fcce5e59754327c69a405f0e55c74f554bd1c41e1950376ad
Opcode Fuzzy Hash: eef3b4784ad176635c7450cb56cde701eb778f9798600e25abe709cbcf020ecf
Instruction Fuzzy Hash: 74518C72B18B068AE721CB61E4806A933A0BB48B54F58413ADE0DE7A54EF3CE609C744

Function 00007FF6570B1010 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570B1228

Strings

Package '%ls' has no compatible MSI package, xrefs: 00007FF6570B1305
Failed to execute compatible MSI package., xrefs: 00007FF6570B1271
Failed to read parent hwnd., xrefs: 00007FF6570B1131
Failed to find package: %ls, xrefs: 00007FF6570B11C2
Failed to read variables., xrefs: 00007FF6570B118B
Package '%ls' has no compatible package with id: %ls, xrefs: 00007FF6570B12C6
Failed to read rollback flag., xrefs: 00007FF6570B1098
Failed to read MSI compatible package id., xrefs: 00007FF6570B110A
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570B10A9, 00007FF6570B1287, 00007FF6570B12A3, 00007FF6570B12E2, 00007FF6570B131B
Failed to read MSI package id., xrefs: 00007FF6570B10E3
Failed to read package log., xrefs: 00007FF6570B115B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to execute compatible MSI package.$Failed to find package: %ls$Failed to read MSI compatible package id.$Failed to read MSI package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$Package '%ls' has no compatible MSI package$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
API String ID: 1825529933-1833463798
Opcode ID: a27d66401713bda8bf28be7e86ff31dcf13b59ae075febbd50bb7e6103b5fc43
Instruction ID: 168a893ff1aeb75584f3e6ada817762c3ce52d54139001856021268cb7cf3931
Opcode Fuzzy Hash: a27d66401713bda8bf28be7e86ff31dcf13b59ae075febbd50bb7e6103b5fc43
Instruction Fuzzy Hash: 65A11D75B18B4A85EB10CBA1E4401ED73A5EB98788F580136DE4DE7B58DF3CE60AC740

Function 00007FF6570BD7E4 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 217COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32 ref: 00007FF6570BD936
GetProcessId.KERNEL32(?,?,?,?,?,?,?,?,-uninstall,?,00000000,?,?,?,?,00007FF6570B9E10), ref: 00007FF6570BD941
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,-uninstall), ref: 00007FF6570BDAFB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,-uninstall), ref: 00007FF6570BDB0F

Strings

Failed to wait for executable to complete: %ls, xrefs: 00007FF6570BDA98
Failed to append user args., xrefs: 00007FF6570BD87F
d:\a\wix4\wix4\src\burn\engine\exeengine.cpp, xrefs: 00007FF6570BD8ED, 00007FF6570BDA4D, 00007FF6570BDA74, 00007FF6570BDAB1, 00007FF6570BDAD3
%ls %ls, xrefs: 00007FF6570BD867
Bootstrapper application cancelled during package process progress, exit code: 0x%x, xrefs: 00007FF6570BDA7F
Bootstrapper application aborted during package process progress., xrefs: 00007FF6570BDAC2
Failed to CreateProcess on path: %ls, xrefs: 00007FF6570BD8D6
-uninstall, xrefs: 00007FF6570BD7FC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$IdleInputProcessWait
String ID: %ls %ls$-uninstall$Bootstrapper application aborted during package process progress.$Bootstrapper application cancelled during package process progress, exit code: 0x%x$Failed to CreateProcess on path: %ls$Failed to append user args.$Failed to wait for executable to complete: %ls$d:\a\wix4\wix4\src\burn\engine\exeengine.cpp
API String ID: 3027418115-16237877
Opcode ID: 59eb1e3af77083b61bdb6fabd72db6877963720825c925e9095edf21414a70c0
Instruction ID: f28ead3b8b724ef2495c41f9648bf673703a322c40552a40281e28d0c725688c
Opcode Fuzzy Hash: 59eb1e3af77083b61bdb6fabd72db6877963720825c925e9095edf21414a70c0
Instruction Fuzzy Hash: 0C915B62B187668AFB10CF61E8807AD67A1BB48788F580139DE0DE7B58CF3DE549C744

Function 00007FF6570F8FC0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 177fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6570F9079

Part of subcall function 00007FF6570F68A4: RegCloseKey.ADVAPI32 ref: 00007FF6570F6988

_cwprintf_s_l.LIBCMT ref: 00007FF6570F916C
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6570F9213
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6570F9222

Strings

DownloadTimeout, xrefs: 00007FF6570F90C5
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00007FF6570F903E, 00007FF6570F908D, 00007FF6570F91D2
Ignoring failure to get size and time for URL: %ls (error 0x%x), xrefs: 00007FF6570F915D
WiX\Burn, xrefs: 00007FF6570F90CC
Failed to download URL: %ls, xrefs: 00007FF6570F91E4
Failed to copy download source URL., xrefs: 00007FF6570F9027
Failed to open internet session, xrefs: 00007FF6570F90AD
Burn, xrefs: 00007FF6570F9062

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$DeleteErrorFileHandleLast_cwprintf_s_l
String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to open internet session$Ignoring failure to get size and time for URL: %ls (error 0x%x)$WiX\Burn$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
API String ID: 2949519566-1623104175
Opcode ID: bc969973fe9c3fc173172cce4f59c2ebfeba3061d2cff27dd6e383ad2b862cdd
Instruction ID: 8316ce9870654d604d729a98c8d070b95f716615e80ecca64ecf72e3b215dcd6
Opcode Fuzzy Hash: bc969973fe9c3fc173172cce4f59c2ebfeba3061d2cff27dd6e383ad2b862cdd
Instruction Fuzzy Hash: 21818376B19B4699EB50CF61E8806A933A4FB44B98F480236DE4DE3B94EF3CD119C704

Function 00007FF6570FC8B8 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

CompareStringW.KERNEL32 ref: 00007FF6570FC913
CompareStringW.KERNEL32 ref: 00007FF6570FC940
CompareStringW.KERNEL32 ref: 00007FF6570FC985

Strings

Failed to process ATOM entry., xrefs: 00007FF6570FCAF8
Failed to allocate default application id., xrefs: 00007FF6570FC9C6
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp, xrefs: 00007FF6570FC9E1, 00007FF6570FCA24, 00007FF6570FCADC
Failed to allocate default application type., xrefs: 00007FF6570FC9B8
Failed to reallocate memory for update entries., xrefs: 00007FF6570FCAEC
http://appsyndication.org/2006/appsyn, xrefs: 00007FF6570FC8FB
application, xrefs: 00007FF6570FC927
Failed to allocate memory for update entries., xrefs: 00007FF6570FCA34
type, xrefs: 00007FF6570FC96A

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString$HeapProcess
String ID: Failed to allocate default application id.$Failed to allocate default application type.$Failed to allocate memory for update entries.$Failed to process ATOM entry.$Failed to reallocate memory for update entries.$application$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 3319327951-2947066191
Opcode ID: 9150c8f1d9744b579bb6dbf197083b280d58b265ea9f14b654602577527d328a
Instruction ID: 7d65ffe77739708e1148094b548615e165a0a567cb5347ad9ca464f585be65bd
Opcode Fuzzy Hash: 9150c8f1d9744b579bb6dbf197083b280d58b265ea9f14b654602577527d328a
Instruction Fuzzy Hash: 3A7114B2A18B4682EB24CF25E84126A73E0FB84B64F4C0135DA4DE7794DF3CE549C748

Function 00007FF6570B4F8C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 150windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF6570B4FCE
LoadBitmapW.USER32 ref: 00007FF6570B4FF6
GetLastError.KERNEL32 ref: 00007FF6570B5004
GetObjectW.GDI32 ref: 00007FF6570B504D
GetCursorPos.USER32 ref: 00007FF6570B5069
CreateWindowExW.USER32 ref: 00007FF6570B5131
GetLastError.KERNEL32 ref: 00007FF6570B5140

Strings

WixBurnSplashScreen, xrefs: 00007FF6570B5121
Failed to create window., xrefs: 00007FF6570B5174
Failed to load splash screen bitmap., xrefs: 00007FF6570B5038
`, xrefs: 00007FF6570B4FE3
d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp, xrefs: 00007FF6570B5018, 00007FF6570B5154, 00007FF6570B5180

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLastWindow$BitmapCreateCursorLoadObject
String ID: Failed to create window.$Failed to load splash screen bitmap.$WixBurnSplashScreen$`$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
API String ID: 1087062382-1433972835
Opcode ID: dfc708886f56aea22527c6216f631cc815af518f0d3ac935a27bb6e05fddeadd
Instruction ID: 7cb5e34116d522d1c19d699679794a0c386022aa0bb8c58c019fdabfd57ca1d7
Opcode Fuzzy Hash: dfc708886f56aea22527c6216f631cc815af518f0d3ac935a27bb6e05fddeadd
Instruction Fuzzy Hash: 8E6158B2A14A468AE720CF26E44076977E5FB98B98F094135DE4DD7758DF3CE409CB80

Function 00007FF6570A3748 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6570A3797
GetLastError.KERNEL32 ref: 00007FF6570A37A6
CloseHandle.KERNEL32 ref: 00007FF6570A398A

Strings

Failed to verify payload hash: %ls, xrefs: 00007FF6570A38A5
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A37BA, 00007FF6570A37EB, 00007FF6570A3821, 00007FF6570A390D
Failed to verify payload signature: %ls, xrefs: 00007FF6570A38F1
%ls payload from working path '%ls' to path '%ls', xrefs: 00007FF6570A3948
Copying, xrefs: 00007FF6570A393A
Failed to open payload in working path: %ls, xrefs: 00007FF6570A37DA
Payload has no verification information: %ls, xrefs: 00007FF6570A3844
Moving, xrefs: 00007FF6570A392C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$Payload has no verification information: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2528220319-3234199796
Opcode ID: bc962a4dadd807e5149b15bfc77bdcc38d20df1e56e90874a1565f108e270ddf
Instruction ID: 54de27d7eb8978814b85496bb711ab4b039624d24b12d94552cebbccfc37d639
Opcode Fuzzy Hash: bc962a4dadd807e5149b15bfc77bdcc38d20df1e56e90874a1565f108e270ddf
Instruction Fuzzy Hash: 0C519E75718B8586E7208F16E48066AB7A4FB88B90F580239DE9DE3B54CF3DD525CB04

Function 00007FF6570E92C0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 128COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00007FF6570E96E2), ref: 00007FF6570E92EA
GetLastError.KERNEL32 ref: 00007FF6570E92F4

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

GetTokenInformation.ADVAPI32 ref: 00007FF6570E936C
GetLastError.KERNEL32 ref: 00007FF6570E9376
GetTokenInformation.ADVAPI32 ref: 00007FF6570E9413
GetLastError.KERNEL32 ref: 00007FF6570E941D
CloseHandle.KERNEL32 ref: 00007FF6570E9495

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E9308, 00007FF6570E9340, 00007FF6570E9388, 00007FF6570E93E0, 00007FF6570E9431, 00007FF6570E946B
Failed to get information from process token size., xrefs: 00007FF6570E93B3
Failed to allocate token information., xrefs: 00007FF6570E93EE
Failed to open process token., xrefs: 00007FF6570E9328
Failed to get information from process token., xrefs: 00007FF6570E9451

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLastToken$InformationProcess$CloseHandleHeapOpen
String ID: Failed to allocate token information.$Failed to get information from process token size.$Failed to get information from process token.$Failed to open process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 1402880313-3612203842
Opcode ID: 93654e2996a761eb325c3759a878e80e0c52e1a5a3f9df58c6843972dfc6fca6
Instruction ID: 00f2bbac0ecf79cf6d985220700e1d529d7d9cd1d019a53666c9943e1c3d494e
Opcode Fuzzy Hash: 93654e2996a761eb325c3759a878e80e0c52e1a5a3f9df58c6843972dfc6fca6
Instruction Fuzzy Hash: 3851B571B1874A8AEB219F66D88066A33E4BF84B50F4C0135DA4DE3754DF7CE549C744

Function 00007FF6570EF808 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

MonitorFromPoint.USER32(?,?,00000020,?,?,00007FF6570B5086), ref: 00007FF6570EF88D
GetMonitorInfoW.USER32 ref: 00007FF6570EF8D5
CreateDCW.GDI32 ref: 00007FF6570EF94F
GetDeviceCaps.GDI32 ref: 00007FF6570EF98E
ReleaseDC.USER32 ref: 00007FF6570EF9A5

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dpiutil.cpp, xrefs: 00007FF6570EF848, 00007FF6570EF870, 00007FF6570EF8A6, 00007FF6570EF962
Failed to get device context for monitor., xrefs: 00007FF6570EF97A
Failed to get DPI for monitor., xrefs: 00007FF6570EF91E
Failed to get monitor from point., xrefs: 00007FF6570EF8B4
Failed to get monitor info for point., xrefs: 00007FF6570EF8E4
Failed to allocate memory for DpiuMonitorContext., xrefs: 00007FF6570EF858
DISPLAY, xrefs: 00007FF6570EF948

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Monitor$CapsCreateDeviceFromHeapInfoPointProcessRelease
String ID: DISPLAY$Failed to allocate memory for DpiuMonitorContext.$Failed to get DPI for monitor.$Failed to get device context for monitor.$Failed to get monitor from point.$Failed to get monitor info for point.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dpiutil.cpp
API String ID: 1183624408-1129088005
Opcode ID: 10dc910972e96ef09c9ba99fa8a9eb434e102d713b5bc66631448ba17b01cfa0
Instruction ID: 8f780da479323cbc32e33f93c92aaf40186edf4b3171ed19c49af97cebcdfbd7
Opcode Fuzzy Hash: 10dc910972e96ef09c9ba99fa8a9eb434e102d713b5bc66631448ba17b01cfa0
Instruction Fuzzy Hash: EE4180B2A08A5E86EB609F16E8001A963E1EB88B90F9D4135DD4DF7754DF3CF509C744

Function 00007FF65708C0E4 Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 232COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,00007FF6570ACF05), ref: 00007FF65708C12A
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,00007FF6570ACF05), ref: 00007FF65708C3EF

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C3D0
Failed to read variable value type., xrefs: 00007FF65708C3A3
Failed to read variable name., xrefs: 00007FF65708C3B1
Failed to read variable value as string., xrefs: 00007FF65708C339, 00007FF65708C387
Failed to read variable value as number., xrefs: 00007FF65708C36B
Failed to set variable., xrefs: 00007FF65708C395
Failed to read variable included flag., xrefs: 00007FF65708C3BF
Failed to read variable count., xrefs: 00007FF65708C14C
Unsupported variable type., xrefs: 00007FF65708C34F
Failed to set variable value., xrefs: 00007FF65708C23D, 00007FF65708C35D, 00007FF65708C379
Failed to parse variable value as version., xrefs: 00007FF65708C328

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to parse variable value as version.$Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1722372363
Opcode ID: fc220c59e7a825faf336270e60be5240594e5b21ebaeed931df62eddd12faee0
Instruction ID: 1992502794f46f74cca7511a63bed6a9aeb112632fd80389bf66432404bbaee6
Opcode Fuzzy Hash: fc220c59e7a825faf336270e60be5240594e5b21ebaeed931df62eddd12faee0
Instruction Fuzzy Hash: 2B9145A1B08A5B9AFB11DBA1D8505BE27F4AB44798F584036DE0DF3B95DF38E6498300

Function 00007FF6570F8408 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 132fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6570F84CF
GetLastError.KERNEL32 ref: 00007FF6570F84DE
ReadFile.KERNEL32 ref: 00007FF6570F8543
GetLastError.KERNEL32 ref: 00007FF6570F8572
CloseHandle.KERNEL32 ref: 00007FF6570F85D7

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00007FF6570F8445
Failed to create resume path., xrefs: 00007FF6570F8452
%ls.R, xrefs: 00007FF6570F8428
Failed to create resume file: %ls, xrefs: 00007FF6570F8518
Failed to read resume file: %ls, xrefs: 00007FF6570F85B2
Failed to calculate resume path from working path: %ls, xrefs: 00007FF6570F8480

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to create resume path.$Failed to read resume file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
API String ID: 3160720760-2159331624
Opcode ID: b0fb9219233507b50343dbf3de6941200a1d9370cb0aa56eb109785e7af19bf2
Instruction ID: e8c574ffa31eeca42ac8ff17db847c4daa35ffa558ae239060a61741b76bbce3
Opcode Fuzzy Hash: b0fb9219233507b50343dbf3de6941200a1d9370cb0aa56eb109785e7af19bf2
Instruction Fuzzy Hash: F351D4B2B1875587E720CB26E8803AA62D0BB88BA4F484335DE9DD7BD4DF3CD5498744

Function 00007FF6570FB5D4 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 129COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

SysFreeString.OLEAUT32 ref: 00007FF6570FB773
SysFreeString.OLEAUT32 ref: 00007FF6570FB782
SysFreeString.OLEAUT32 ref: 00007FF6570FB791

Strings

Failed to allocate ATOM unknown attribute namespace., xrefs: 00007FF6570FB68A
Failed to get unknown attribute value., xrefs: 00007FF6570FB718
Failed to get unknown attribute name., xrefs: 00007FF6570FB6CE
Failed to allocate ATOM unknown attribute value., xrefs: 00007FF6570FB73F
Failed to get unknown attribute namespace., xrefs: 00007FF6570FB6A3
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570FB615, 00007FF6570FB63F
Failed to allocate unknown attribute., xrefs: 00007FF6570FB62B
Failed to allocate ATOM unknown attribute name., xrefs: 00007FF6570FB6F5

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString$HeapProcess
String ID: Failed to allocate ATOM unknown attribute name.$Failed to allocate ATOM unknown attribute namespace.$Failed to allocate ATOM unknown attribute value.$Failed to allocate unknown attribute.$Failed to get unknown attribute name.$Failed to get unknown attribute namespace.$Failed to get unknown attribute value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
API String ID: 3485037438-797782994
Opcode ID: f168fd8ff74354931a518d3b75d61f3c9652a41daeb371851fc4319f3d88320f
Instruction ID: 7a50ef78f313d5dc6aeda1da22e0c003602cc1409f107436e3188f563c12e1f9
Opcode Fuzzy Hash: f168fd8ff74354931a518d3b75d61f3c9652a41daeb371851fc4319f3d88320f
Instruction Fuzzy Hash: 8A516EA5B09B5B96EB11DB26D89017923E0EF44B84F5C4431DE0DE3BA5EF3CE4498708

Function 00007FF6570A353C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 126fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6570A358B
GetLastError.KERNEL32 ref: 00007FF6570A359A
CloseHandle.KERNEL32 ref: 00007FF6570A3720

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A35AE, 00007FF6570A35DF, 00007FF6570A360A, 00007FF6570A36A3
%ls container from working path '%ls' to path '%ls', xrefs: 00007FF6570A36DE
Failed to verify container hash: %ls, xrefs: 00007FF6570A368C
Copying, xrefs: 00007FF6570A36D0
Failed to open container in working path: %ls, xrefs: 00007FF6570A35CE
Container has no verification information: %ls, xrefs: 00007FF6570A362D
Moving, xrefs: 00007FF6570A36C2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: %ls container from working path '%ls' to path '%ls'$Container has no verification information: %ls$Copying$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2528220319-3503443624
Opcode ID: 6d36b78f0c8ae030741ba7b745dbf87065d0aa8a2297b58738bfd2dcb2ad118d
Instruction ID: fd80e9c08177d8b0bb71ad1419e7322cd81ea0ca144121bc5ff8003086538e22
Opcode Fuzzy Hash: 6d36b78f0c8ae030741ba7b745dbf87065d0aa8a2297b58738bfd2dcb2ad118d
Instruction Fuzzy Hash: D9519D76718B4586E7208F12E4806AA77E4FB88B90F580239EE8DD7B54CF3CD569CB44

Function 00007FF65708608C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 125COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF65708619F, 00007FF6570861EB, 00007FF65708621F
kernel32.dll, xrefs: 00007FF6570860F3
Failed to load kernel32.dll, xrefs: 00007FF657086105
Failed to get temp path., xrefs: 00007FF65708620B
Failed to allocate space for temp path., xrefs: 00007FF65708612B
Failed to reallocate space for temp path., xrefs: 00007FF6570861BE
Failed to get max length of input buffer., xrefs: 00007FF6570860CA
GetTempPathW results never converged., xrefs: 00007FF6570861B5
GetTempPath2W, xrefs: 00007FF657086144

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Failed to allocate space for temp path.$Failed to get max length of input buffer.$Failed to get temp path.$Failed to load kernel32.dll$Failed to reallocate space for temp path.$GetTempPath2W$GetTempPathW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp$kernel32.dll
API String ID: 0-945536007
Opcode ID: 6023d17c7a8d3e20830b6077d138ec7580dcfbfabcf0b0b2ff7cf487654748f8
Instruction ID: 5f2510348478276e0afe24ad2fc029940ce08578ca9f755fea60726dc220ffb4
Opcode Fuzzy Hash: 6023d17c7a8d3e20830b6077d138ec7580dcfbfabcf0b0b2ff7cf487654748f8
Instruction Fuzzy Hash: 2E41C3A1B18A4B86FF11CF25D88027A62D5AF84790F5D4135DD0DE33A2EE3CE959C304

Function 00007FF6570F08A8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000005), ref: 00007FF6570F09AC
GetLastError.KERNEL32(?,?,00000005), ref: 00007FF6570F09BE
LocalFree.KERNEL32(?,?,00000005), ref: 00007FF6570F0A74

Strings

Failed to get address of PathAllocCanonicalize., xrefs: 00007FF6570F09F5
Failed to load api-ms-win-core-path-l1-1-0.dll, xrefs: 00007FF6570F090D
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00007FF6570F08C4
Failed to copy the canonicalized path., xrefs: 00007FF6570F0A2E
Failed to initialize path2utl., xrefs: 00007FF6570F0A3C
PathAllocCanonicalize, xrefs: 00007FF6570F09A5
Failed to canonicalize: %ls, xrefs: 00007FF6570F097A
api-ms-win-core-path-l1-1-0.dll, xrefs: 00007FF6570F08EE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressErrorFreeLastLocalProc
String ID: Failed to canonicalize: %ls$Failed to copy the canonicalized path.$Failed to get address of PathAllocCanonicalize.$Failed to initialize path2utl.$Failed to load api-ms-win-core-path-l1-1-0.dll$PathAllocCanonicalize$api-ms-win-core-path-l1-1-0.dll$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
API String ID: 3612902539-1745691185
Opcode ID: 5020280c84d4ef95f29fdd2211bc33ec566e1588389ba0ff39993e04a38af019
Instruction ID: a437816af5f1b0efa266e3926992cf3447563c8b6a97d149769d0575aff41d75
Opcode Fuzzy Hash: 5020280c84d4ef95f29fdd2211bc33ec566e1588389ba0ff39993e04a38af019
Instruction Fuzzy Hash: 4851ADA1B0CB4A85FB209B16E88067A62E0BF48784F9C0135DE4DE7760DF3DE549C718

Function 00007FF6570F1370 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 117COMMON

Download Yara Rule

APIs

GetSystemWindowsDirectoryW.KERNEL32 ref: 00007FF6570F13BE
GetLastError.KERNEL32 ref: 00007FF6570F13CA

Strings

Failed to terminate Windows directory path with backslash., xrefs: 00007FF6570F14E5
Failed to get Windows directory path with default size., xrefs: 00007FF6570F13FE
Failed to concat subdirectory on Windows directory path., xrefs: 00007FF6570F14BB
Failed to alloc Windows directory path., xrefs: 00007FF6570F13A3
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00007FF6570F13DE, 00007FF6570F1474, 00007FF6570F14FC
Failed to get Windows directory path with returned size., xrefs: 00007FF6570F1482
Failed to realloc Windows directory path., xrefs: 00007FF6570F142C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DirectoryErrorLastSystemWindows
String ID: Failed to alloc Windows directory path.$Failed to concat subdirectory on Windows directory path.$Failed to get Windows directory path with default size.$Failed to get Windows directory path with returned size.$Failed to realloc Windows directory path.$Failed to terminate Windows directory path with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp
API String ID: 505562763-519864416
Opcode ID: 5b5ffd5b08da59444f2a6b08d79f3b2db3cafcd67f267dada83fb5041b079584
Instruction ID: 2cb40ffa39aa316143fc6cb1432640affd313e40e7ddd163816c5e6cb4518fd5
Opcode Fuzzy Hash: 5b5ffd5b08da59444f2a6b08d79f3b2db3cafcd67f267dada83fb5041b079584
Instruction Fuzzy Hash: 2041A361B18B4686FB119B55E89037A63D4AFC4B90F5C0031DE4DE7795EFBCE9098B08

Function 00007FF6570882A8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF657089A37), ref: 00007FF6570882BC

Part of subcall function 00007FF6570E8F38: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6570E8F7E
Part of subcall function 00007FF6570E8F38: GetLastError.KERNEL32 ref: 00007FF6570E8F88
Part of subcall function 00007FF6570E8F38: CloseHandle.KERNEL32 ref: 00007FF6570E90E5

Sleep.KERNEL32(?,?,?,?,?,?,?,00007FF657089A37), ref: 00007FF65708832B
GetLastError.KERNEL32 ref: 00007FF65708835C

Part of subcall function 00007FF6570AD160: EnterCriticalSection.KERNEL32(?,?,?,00007FF657088320,?,?,?,?,?,?,?,00007FF657089A37), ref: 00007FF6570AD17E

IsWindow.USER32 ref: 00007FF6570883C7
Sleep.KERNEL32 ref: 00007FF6570883E1
Sleep.KERNEL32 ref: 00007FF657088418
IsWindow.USER32 ref: 00007FF657088425

Strings

d:\a\wix4\wix4\src\burn\engine\engine.cpp, xrefs: 00007FF6570882E8, 00007FF657088392
Failed to schedule restart., xrefs: 00007FF6570883A3
Failed to enable shutdown privilege in process token., xrefs: 00007FF6570882D7
SeShutdownPrivilege, xrefs: 00007FF6570882C5

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Sleep$ErrorLastWindow$CloseCriticalCurrentEnterHandleLookupPrivilegeProcessSectionValue
String ID: Failed to enable shutdown privilege in process token.$Failed to schedule restart.$SeShutdownPrivilege$d:\a\wix4\wix4\src\burn\engine\engine.cpp
API String ID: 1619525766-2157809017
Opcode ID: 8335a0d5f0e8bbece7f30233b55d3bfe093975e3dcf69f64dd79098857f69502
Instruction ID: ba21421657195aca565ad7ff521654dffeaf3dc4c0b354b69963c0e6401903ab
Opcode Fuzzy Hash: 8335a0d5f0e8bbece7f30233b55d3bfe093975e3dcf69f64dd79098857f69502
Instruction Fuzzy Hash: 6B41CBA1B18A8B83F7249B65E89037A62D1EF84B94F5C4035DA0DE77D4DF6CF85A8304

Function 00007FF65708D8D8 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 166COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF65708D90A
LeaveCriticalSection.KERNEL32 ref: 00007FF65708DB0C

Strings

Failed to get string., xrefs: 00007FF65708DAB2
Failed to write variable value as string., xrefs: 00007FF65708DAA4
d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708DAED
Failed to write variable name., xrefs: 00007FF65708DACE
Failed to write variable count., xrefs: 00007FF65708D925
Failed to write variable value as number., xrefs: 00007FF65708DA88
Failed to write included flag., xrefs: 00007FF65708DADC
Failed to get numeric., xrefs: 00007FF65708DA96
Unsupported variable type., xrefs: 00007FF65708DA7A
Failed to write variable value type., xrefs: 00007FF65708DAC0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-3226335872
Opcode ID: 2f9ff8235a1512951770a9d4813028bbf8c285329225a902fa43203456165b82
Instruction ID: 6a7528ec0a315b7e881657b911f53ba8928df4a2f6ca158b4d208ba4169247de
Opcode Fuzzy Hash: 2f9ff8235a1512951770a9d4813028bbf8c285329225a902fa43203456165b82
Instruction Fuzzy Hash: AC6190A1B0C61B93EA24DB21D44427A23D4FB48B90FA84235DE0DEB795DF3DE91AC700

Function 00007FF6570E9ED0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6570F5849), ref: 00007FF6570EA01E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6570F5849), ref: 00007FF6570EA192

Strings

Failed to recursively delete subkey: %ls, xrefs: 00007FF6570EA055
Failed to concatenate paths while recursively deleting subkeys. Path1: %ls, Path2: %ls, xrefs: 00007FF6570EA077
Failed to open this key for enumerating subkeys: %ls, xrefs: 00007FF6570E9F87
Failed to delete registry key (ex)., xrefs: 00007FF6570EA112
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570E9F34, 00007FF6570E9F9E, 00007FF6570EA065, 00007FF6570EA0E7, 00007FF6570EA13D
Failed to enumerate key 0, xrefs: 00007FF6570EA09F
Failed to delete registry key., xrefs: 00007FF6570EA168
RegInitialize must be called first in order to RegDelete() a key with non-default bit attributes!, xrefs: 00007FF6570E9F1D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to concatenate paths while recursively deleting subkeys. Path1: %ls, Path2: %ls$Failed to delete registry key (ex).$Failed to delete registry key.$Failed to enumerate key 0$Failed to open this key for enumerating subkeys: %ls$Failed to recursively delete subkey: %ls$RegInitialize must be called first in order to RegDelete() a key with non-default bit attributes!$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 3535843008-329788176
Opcode ID: 3fff0434b7efc1b17b30b79050bafae5a9a5e502ac803cf16d9c882809d36b86
Instruction ID: 7ccfd75a4ed1bfe6cb43c2ddf8ffac372e6510e8abdb8f0865edf1d0334c2b62
Opcode Fuzzy Hash: 3fff0434b7efc1b17b30b79050bafae5a9a5e502ac803cf16d9c882809d36b86
Instruction Fuzzy Hash: 88817EB1B1872B89FB209B66D88067A23E4BB49B80F580536DE0DE3B54DF3DE5498740

Function 00007FF6570EF0A0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF6570EF0EA
SysAllocString.OLEAUT32 ref: 00007FF6570EF0FC
VariantClear.OLEAUT32 ref: 00007FF6570EF2F0

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EF110, 00007FF6570EF13A, 00007FF6570EF184, 00007FF6570EF2C8
failed to allocate bstr for Path in XmlLoadDocumentFromFileEx, xrefs: 00007FF6570EF126
failed put_resolveExternals, xrefs: 00007FF6570EF224
failed XmlCreateDocument, xrefs: 00007FF6570EF178
failed to load XML from: %ls, xrefs: 00007FF6570EF2B7
failed put_validateOnParse, xrefs: 00007FF6570EF1F8
failed put_preserveWhiteSpace, xrefs: 00007FF6570EF1CC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed XmlCreateDocument$failed put_preserveWhiteSpace$failed put_resolveExternals$failed put_validateOnParse$failed to allocate bstr for Path in XmlLoadDocumentFromFileEx$failed to load XML from: %ls
API String ID: 2213243845-3558707546
Opcode ID: 594f55ff40f7e68af164e6c62440e0f63f53b8e968095b48d2a03afd17150360
Instruction ID: 5ad9855023bf29f67419d466d2e6445fc9ccd05c7187bd2d6cf862846da16f2a
Opcode Fuzzy Hash: 594f55ff40f7e68af164e6c62440e0f63f53b8e968095b48d2a03afd17150360
Instruction Fuzzy Hash: 48715DB6B18B4A96EB118F66D8801AD33A5EF48B94F484136CE0DE3764EF3DE549C304

Function 00007FF6570F5540 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F4AE4: lstrlenW.KERNEL32(?,?,?,?,?,00007FF6570F51B3,?,?,?,?,?,?,?,?,?,00007FF6570A6BDE), ref: 00007FF6570F4B23

RegCloseKey.ADVAPI32 ref: 00007FF6570F577B
RegCloseKey.ADVAPI32 ref: 00007FF6570F579D

Strings

Failed to create the dependency subkey "%ls"., xrefs: 00007FF6570F5697
Failed to set the %ls registry value to %d., xrefs: 00007FF6570F574C
Failed to create the dependency registry key "%ls"., xrefs: 00007FF6570F560C
%ls\%ls, xrefs: 00007FF6570F561C
Failed to allocate dependent subkey "%ls" under dependency "%ls"., xrefs: 00007FF6570F563A
Failed to allocate the registry key for dependency "%ls"., xrefs: 00007FF6570F5596
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00007FF6570F55AD, 00007FF6570F575E
Failed to set the %ls registry value to "%ls"., xrefs: 00007FF6570F56D2, 00007FF6570F570E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$lstrlen
String ID: %ls\%ls$Failed to allocate dependent subkey "%ls" under dependency "%ls".$Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to create the dependency subkey "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
API String ID: 1752758355-602586573
Opcode ID: 95099f63415e8c6dfb790fd428379e41e8111bcca93647b5c6b3bb41871ddc1c
Instruction ID: 1d5d806a88ec2a1258dfd646ac6cf47bf2be1153cfa9251eb52ab93f51ed50bf
Opcode Fuzzy Hash: 95099f63415e8c6dfb790fd428379e41e8111bcca93647b5c6b3bb41871ddc1c
Instruction Fuzzy Hash: BA713C72B28B5A85EB10CB52E8807A937B4FB48794F080535EE4DE7B69DF3CD5488744

Function 00007FF657086F9C Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 119COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000000), ref: 00007FF657087026
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00007FF657087036
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00000000), ref: 00007FF6570870F7
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00007FF657087103

Strings

Failed to allocate space for expanded path., xrefs: 00007FF6570870B5
Failed to allocate buffer for expanded string., xrefs: 00007FF657087132
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\envutil.cpp, xrefs: 00007FF657086FF4, 00007FF657087044, 00007FF657087083, 00007FF65708711C
Failed to get max length of input buffer., xrefs: 00007FF657086FDD
Failed to expand environment variables in string: %ls, xrefs: 00007FF657087075
Failed to re-allocate more space for expanded path., xrefs: 00007FF6570870DD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStrings
String ID: Failed to allocate buffer for expanded string.$Failed to allocate space for expanded path.$Failed to expand environment variables in string: %ls$Failed to get max length of input buffer.$Failed to re-allocate more space for expanded path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\envutil.cpp
API String ID: 4064601616-3610958334
Opcode ID: f9daa8191f49c94f3b76de57b8307bcb9f76794c0b0d5332c6eee05878274ed4
Instruction ID: 3c135735ac46e8629444a74fb7d442c234af9ed0f984d7f32429c5150c60fa91
Opcode Fuzzy Hash: f9daa8191f49c94f3b76de57b8307bcb9f76794c0b0d5332c6eee05878274ed4
Instruction Fuzzy Hash: C04107A1B08B06C6EB21DB66D84027923D1AF84BD0F5C5136DE0DE7795EE3CE909C704

Function 00007FF65708A890 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 99registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA674: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

RegCloseKey.ADVAPI32 ref: 00007FF65708A996

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708A8EB
Failed to open Windows folder key., xrefs: 00007FF65708A903
ProgramFilesDir, xrefs: 00007FF65708A8B3
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00007FF65708A8C6
Failed to get 64-bit folder., xrefs: 00007FF65708A9A0
CommonFilesDir, xrefs: 00007FF65708A8A7
Failed to set variant value., xrefs: 00007FF65708A9C7
Failed to ensure path was backslash terminated., xrefs: 00007FF65708A966
Failed to read folder path for '%ls'., xrefs: 00007FF65708A92C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseOpen
String ID: CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to get 64-bit folder.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$Failed to set variant value.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 47109696-3026353617
Opcode ID: 0c85f6d079ce6b1e861ce7baa1f194e72584532c41f66755beed974e70b7b8e1
Instruction ID: f9d6eaff57f69b91d5625801e48eadde03c5f49c5f425c0a6459202f998dd9bd
Opcode Fuzzy Hash: 0c85f6d079ce6b1e861ce7baa1f194e72584532c41f66755beed974e70b7b8e1
Instruction Fuzzy Hash: 1F41D3A2B1CA5A82FB20DB16E88077963D4FB49784F994135DE8CE3B95DF3CE5498700

Function 00007FF6570EE350 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 90COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6570EE455
SysFreeString.OLEAUT32 ref: 00007FF6570EE492
SysFreeString.OLEAUT32 ref: 00007FF6570EE4A6

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EE395
Failed to query IXMLDOMParseError.errorCode., xrefs: 00007FF6570EE37E
Failed to query IXMLDOMParseError.reason., xrefs: 00007FF6570EE43B
Failed to query IXMLDOMParseError.linepos., xrefs: 00007FF6570EE412
Failed to query IXMLDOMParseError.filepos., xrefs: 00007FF6570EE3C6
Failed to query IXMLDOMParseError.line., xrefs: 00007FF6570EE3EC
Failed to query IXMLDOMParseError.srcText ., xrefs: 00007FF6570EE478

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString
String ID: Failed to query IXMLDOMParseError.errorCode.$Failed to query IXMLDOMParseError.filepos.$Failed to query IXMLDOMParseError.line.$Failed to query IXMLDOMParseError.linepos.$Failed to query IXMLDOMParseError.reason.$Failed to query IXMLDOMParseError.srcText .$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp
API String ID: 3341692771-2297621156
Opcode ID: 4512603ddfcaf43032c64b985e8020668fc5d61bff97e75c2df6c7617902b3ed
Instruction ID: ad62e0117263d759a99b182f001f2721fb66f18b6970b6017be5a0e36dfa4b82
Opcode Fuzzy Hash: 4512603ddfcaf43032c64b985e8020668fc5d61bff97e75c2df6c7617902b3ed
Instruction Fuzzy Hash: E741EBA6B08A4F85FB108F26D8943B923A0FB54F88F4C4432DD0EE66A4DF6DE559C744

Function 00007FF65708B780 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF65708B7B7
GetProcAddress.KERNEL32 ref: 00007FF65708B7C7
GetLastError.KERNEL32 ref: 00007FF65708B7D2

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708B7E6, 00007FF65708B890
Failed to find DllGetVersion entry point in msi.dll., xrefs: 00007FF65708B806
DllGetVersion, xrefs: 00007FF65708B7C0
Failed to create msi.dll version from QWORD., xrefs: 00007FF65708B85E
Failed to get msi.dll version info., xrefs: 00007FF65708B82A
msi, xrefs: 00007FF65708B79D
Failed to set variant value., xrefs: 00007FF65708B87F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to create msi.dll version from QWORD.$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp$msi
API String ID: 4275029093-1657635385
Opcode ID: 021f52ab083eb0e9da1a4df6df46773c030ff95cca2067d7327bc12b7904757e
Instruction ID: 95aa52fb97aa6f8f5b8c329de6aef78970530ccae21c1c49805b32f067a99b5b
Opcode Fuzzy Hash: 021f52ab083eb0e9da1a4df6df46773c030ff95cca2067d7327bc12b7904757e
Instruction Fuzzy Hash: B0319361B18B4A86FB14DB15E88027A32E0BF48B80F580139EA4EE7755EF7CE55AC744

Function 00007FF65709F0C8 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570E84AC: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000002,?,?,00007FF65709EFD4,?,?,?,00000000), ref: 00007FF6570E84E5
Part of subcall function 00007FF6570E84AC: LeaveCriticalSection.KERNEL32 ref: 00007FF6570E874E

OpenEventLogW.ADVAPI32 ref: 00007FF65709F10B
GetLastError.KERNEL32 ref: 00007FF65709F119
ReportEventW.ADVAPI32 ref: 00007FF65709F1AD
CloseEventLog.ADVAPI32 ref: 00007FF65709F1B6

Strings

Application, xrefs: 00007FF65709F102
d:\a\wix4\wix4\src\burn\engine\logging.cpp, xrefs: 00007FF65709F12D, 00007FF65709F15C
Setup, xrefs: 00007FF65709F0EC
_Failed, xrefs: 00007FF65709F0E0
log, xrefs: 00007FF65709F0D4
Failed to open Application event log, xrefs: 00007FF65709F14B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$d:\a\wix4\wix4\src\burn\engine\logging.cpp$log
API String ID: 1844635321-122217184
Opcode ID: 4b85589f99975c1b976fe861e3be25becbb4e57052186f6c808d00d94f6357fa
Instruction ID: 2940765654e4da75a47974d16c68059bbf2e896b0c3a1438d8efb443cc5b1dca
Opcode Fuzzy Hash: 4b85589f99975c1b976fe861e3be25becbb4e57052186f6c808d00d94f6357fa
Instruction Fuzzy Hash: 4D21B3B1B2874683EB209B20E8407B532E4FF58755F4C0139D94EE6664DF7CE158C744

Function 00007FF6570F10E0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 176COMMON

Download Yara Rule

Strings

Failed to canonicalize the path., xrefs: 00007FF6570F1170
wzPath is required., xrefs: 00007FF6570F12F0
wzDirectory must be a fully qualified path., xrefs: 00007FF6570F11B4
wzDirectory is required., xrefs: 00007FF6570F1316
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp, xrefs: 00007FF6570F119C, 00007FF6570F12D8, 00007FF6570F12FE, 00007FF6570F132E
Failed to get length of canonicalized path., xrefs: 00007FF6570F1281
Failed to get length of canonicalized directory., xrefs: 00007FF6570F1226
Failed to canonicalize the directory., xrefs: 00007FF6570F113F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Failed to canonicalize the directory.$Failed to canonicalize the path.$Failed to get length of canonicalized directory.$Failed to get length of canonicalized path.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\path2utl.cpp$wzDirectory is required.$wzDirectory must be a fully qualified path.$wzPath is required.
API String ID: 0-3471778437
Opcode ID: db76efad90147d71d36b0b8f27363ce663af105e838ddee49edf050a43f618dd
Instruction ID: 3211916e10f4bd7b115fe122573fe760fc3ec358db0422f28384d20c3d65be61
Opcode Fuzzy Hash: db76efad90147d71d36b0b8f27363ce663af105e838ddee49edf050a43f618dd
Instruction Fuzzy Hash: 6F6115A2B2874AC6EB60CF51DC8017922E4BF84794F5C4635D90DE7B98DF3CE4198B08

Function 00007FF657086424 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 150COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF657086492, 00007FF6570864C9, 00007FF657086624
Failed to get length of path to prefix., xrefs: 00007FF657086531
Failed to get size of full path., xrefs: 00007FF65708656B
\\?\, xrefs: 00007FF6570865F8
Expected fully qualified path provided to prefix: %ls., xrefs: 00007FF6570864A8
Failed to add prefix to UNC path., xrefs: 00007FF6570865E4
Failed to add prefix to file path., xrefs: 00007FF65708660D
\\?\UNC, xrefs: 00007FF6570865C8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Expected fully qualified path provided to prefix: %ls.$Failed to add prefix to UNC path.$Failed to add prefix to file path.$Failed to get length of path to prefix.$Failed to get size of full path.$\\?\$\\?\UNC$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
API String ID: 0-3583157011
Opcode ID: a12aa26839a8212efae9c4ff9b64cb91badb033cfe9af1d7552efa41baf5d959
Instruction ID: 4669d519cf574b7fb21c9ff8c0574d1ccf7ecc21578936fab69ebd7f929527ff
Opcode Fuzzy Hash: a12aa26839a8212efae9c4ff9b64cb91badb033cfe9af1d7552efa41baf5d959
Instruction Fuzzy Hash: CF51CEA1B0875AC6FB218F61E8402B923E4AF44790F5D4236D90DE7B9ADF3CE959C700

Function 00007FF6570856E8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 137COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,?,00007FF657085161), ref: 00007FF657085799

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF6570857DE, 00007FF657085839, 00007FF657085872, 00007FF6570858B0
Failed to reallocate space for full path., xrefs: 00007FF657085802
GetFullPathNameW results never converged., xrefs: 00007FF6570857F4
Failed to get max length of input buffer., xrefs: 00007FF657085740
Failed to get full path for string: %ls, xrefs: 00007FF657085864
Failed to get current directory., xrefs: 00007FF657085899
Failed to allocate space for full path., xrefs: 00007FF65708577B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FullNamePath
String ID: Failed to allocate space for full path.$Failed to get current directory.$Failed to get full path for string: %ls$Failed to get max length of input buffer.$Failed to reallocate space for full path.$GetFullPathNameW results never converged.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
API String ID: 608056474-2352071517
Opcode ID: 57833038a21a912b398dccbe3f71b7d3b3023ad11398f9ea11995bfab75e28fd
Instruction ID: 22acebc411b6a436044ed3944ef4000b6c4fa7720dc5cc3daadd712102e1c095
Opcode Fuzzy Hash: 57833038a21a912b398dccbe3f71b7d3b3023ad11398f9ea11995bfab75e28fd
Instruction Fuzzy Hash: 8D51F2A1B0874AC6FB21CB66E85027A23D1BF84B90F5C4036DD0DE7795EE3CE95A8340

Function 00007FF6570C46F4 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 127COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,00000000,?,00000000,00007FF6570C46A7,?,?,?,?,00000000,00007FF6570C7037,?,?,?,?), ref: 00007FF6570C4737
GetLastError.KERNEL32(?,?,00000000,?,00000000,00007FF6570C46A7,?,?,?,?,00000000,00007FF6570C7037,?,?,?,?), ref: 00007FF6570C4749

Strings

Failed to append cache action., xrefs: 00007FF6570C488A
d:\a\wix4\wix4\src\burn\engine\plan.cpp, xrefs: 00007FF6570C475D, 00007FF6570C478B
Failed to plan cache for package., xrefs: 00007FF6570C4866
Failed to append checkpoint before package start action., xrefs: 00007FF6570C47CB
Failed to append rollback cache action., xrefs: 00007FF6570C4800, 00007FF6570C4833
Failed to plan package cache syncpoint, xrefs: 00007FF6570C48BB
Failed to create syncpoint event., xrefs: 00007FF6570C477D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to append cache action.$Failed to append checkpoint before package start action.$Failed to append rollback cache action.$Failed to create syncpoint event.$Failed to plan cache for package.$Failed to plan package cache syncpoint$d:\a\wix4\wix4\src\burn\engine\plan.cpp
API String ID: 545576003-3436273000
Opcode ID: d0914f86cee8b0ec2ced260528ddd7a6b23984103b3be1bce50e0ea9257c05ec
Instruction ID: d2c2f62557f9f36c7be2221b916907ffb29f7e255527b74cb1fd590f8e4bf01c
Opcode Fuzzy Hash: d0914f86cee8b0ec2ced260528ddd7a6b23984103b3be1bce50e0ea9257c05ec
Instruction Fuzzy Hash: 4D51A0B1B08B8A86FB518B55D580379ABD8FB84791F484036EA0CE7B91EF7CE449C710

Function 00007FF6570A2660 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 124COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6570A2824

Strings

Failed to allocate access for Users group to path: %ls, xrefs: 00007FF6570A2741
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A276E, 00007FF6570A27F9
Failed to allocate access for Everyone group to path: %ls, xrefs: 00007FF6570A2717
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00007FF6570A26ED
Failed to create ACL to secure cache path: %ls, xrefs: 00007FF6570A2797
Failed to secure cache path: %ls, xrefs: 00007FF6570A27E8
Failed to allocate access for Administrators group to path: %ls, xrefs: 00007FF6570A26C3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2826327444-3214910189
Opcode ID: 243e87a999ebd0d1ab40952a327c70c6d0e9f4ee8fde7ec225f2b59d1a11005f
Instruction ID: 406f47e19d46314eb0b044b33448815bf8e87d3812f216c358aa7db5bb681296
Opcode Fuzzy Hash: 243e87a999ebd0d1ab40952a327c70c6d0e9f4ee8fde7ec225f2b59d1a11005f
Instruction Fuzzy Hash: 4D51BDB5B18B5A86FB20CB60D4507AA23E4FB88744F484135DA4DE7B85DF7CE649C780

Function 00007FF65709E610 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 115COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,00000000,?,00007FF65709EFF0,?,?,?,00000000,?,?,?,00000001), ref: 00007FF65709E65B
ProcessIdToSessionId.KERNEL32(?,?,?,?,?,00000000,?,00007FF65709EFF0,?,?,?,00000000,?,?,?,00000001), ref: 00007FF65709E667

Strings

Failed to copy temp folder., xrefs: 00007FF65709E74A
d:\a\wix4\wix4\src\burn\engine\logging.cpp, xrefs: 00007FF65709E75B
Failed to get temp folder., xrefs: 00007FF65709E64A
Failed to format session id as a string., xrefs: 00007FF65709E68F
Failed to get length of session id string., xrefs: 00007FF65709E6EF
%u\, xrefs: 00007FF65709E679

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Process$CurrentSession
String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get temp folder.$d:\a\wix4\wix4\src\burn\engine\logging.cpp
API String ID: 2701954971-2959569260
Opcode ID: f0ca8641ff3292b95d7a62d5d417d438b0d5bfa7a547b383780b72ba57924fb0
Instruction ID: 4e3cb0da04b3803ea359ad7d8d18d89348ac64e0b81b09a164fa3aaf87596c20
Opcode Fuzzy Hash: f0ca8641ff3292b95d7a62d5d417d438b0d5bfa7a547b383780b72ba57924fb0
Instruction Fuzzy Hash: 3241D1A6B0864A8AFB24DF65D8401B922A5EF547D4F580135EA0DF7B94DE3CE849C300

Function 00007FF6570E826C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF65708543C: SetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085462
Part of subcall function 00007FF65708543C: GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF657085474
Part of subcall function 00007FF65708543C: GetLastError.KERNEL32(?,?,?,?,?,00007FF657081155), ref: 00007FF65708547E

GetComputerNameW.KERNEL32 ref: 00007FF6570E8304
_cwprintf_s_l.LIBCMT ref: 00007FF6570E8334
_cwprintf_s_l.LIBCMT ref: 00007FF6570E8366
_cwprintf_s_l.LIBCMT ref: 00007FF6570E8378
_cwprintf_s_l.LIBCMT ref: 00007FF6570E83D2

Strings

Executable: %ls v%d.%d.%d.%d, xrefs: 00007FF6570E8353
--- logging level: %hs ---, xrefs: 00007FF6570E83C9
=== Logging started: %ls ===, xrefs: 00007FF6570E8326
Computer : %ls, xrefs: 00007FF6570E8371

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l$ErrorLastName$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 3251030568-3153207428
Opcode ID: 5ea016fcbd75f4c4ec5900e7a98313e076532851bda2b68c80d65b6df27ed871
Instruction ID: 8cbf756655d73538879fdc07a4291f7cc1bb044d65eeabc803293f161b72141c
Opcode Fuzzy Hash: 5ea016fcbd75f4c4ec5900e7a98313e076532851bda2b68c80d65b6df27ed871
Instruction Fuzzy Hash: 76512BB2A18A4A99EB14DF21D4503BD33A1FB44B48F5C553AEA0DE7A99DF3CE509C700

Function 00007FF657095E50 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF657095EC1
GetLastError.KERNEL32 ref: 00007FF657095ED0
GetProcAddress.KERNEL32 ref: 00007FF657095F40
GetLastError.KERNEL32 ref: 00007FF657095F4B

Strings

Failed to load BA DLL: %ls, xrefs: 00007FF657095F04
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00007FF657095F7F
d:\a\wix4\wix4\src\burn\engine\userexperience.cpp, xrefs: 00007FF657095EE4, 00007FF657095F25, 00007FF657095F5F, 00007FF657095F8D
Failed to create BA., xrefs: 00007FF657095FBF
BootstrapperApplicationCreate, xrefs: 00007FF657095F36

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create BA.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load BA DLL: %ls$d:\a\wix4\wix4\src\burn\engine\userexperience.cpp
API String ID: 1866314245-160439467
Opcode ID: c843d2d23e02fb10cdfc4e40948a9a6eebf659ada020a82c8a8ee113bf63683e
Instruction ID: da66fb90ac00ebd1a4f763b76180a63893ee2a3f16c154589fd9ffbb6ed1a852
Opcode Fuzzy Hash: c843d2d23e02fb10cdfc4e40948a9a6eebf659ada020a82c8a8ee113bf63683e
Instruction Fuzzy Hash: 75416B71B18B158AEB10CB66E8803A933E4BB48B54F584139DA4DE3B94EF3CE569C344

Function 00007FF657093640 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 91COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65709368A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF657093699

Strings

Failed to set variable., xrefs: 00007FF657093768
File search: %ls, found directory at path: %ls, xrefs: 00007FF657093730
File search: %ls, failed get to file attributes. '%ls', xrefs: 00007FF657093709
File search: %ls, did not find path: %ls, xrefs: 00007FF657093720
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF6570936B8, 00007FF6570936E7, 00007FF657093779
Failed to format variable string., xrefs: 00007FF657093674

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$File search: %ls, failed get to file attributes. '%ls'$File search: %ls, found directory at path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 1799206407-2753988889
Opcode ID: b903b5c7d56ce00168fbc4cdd80d39e55c29728d0100a10a70a60c26580a0708
Instruction ID: ea8bb528c425b9f4f6d4fce63fd38c411fb4b0f6d5b993e421c7ba331b430fc7
Opcode Fuzzy Hash: b903b5c7d56ce00168fbc4cdd80d39e55c29728d0100a10a70a60c26580a0708
Instruction Fuzzy Hash: 8B41B4B1B18B5A82FB20CB16E880769A3E0EF59BE0F484135DA4DE7B95DF2CE555C700

Function 00007FF657093380 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 91COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF6570933CA
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF6570933D9

Strings

Directory search: %ls, failed get to directory attributes. '%ls', xrefs: 00007FF657093449
Failed to set variable., xrefs: 00007FF6570934A8
Directory search: %ls, found file at path: %ls, xrefs: 00007FF657093470
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF6570933F8, 00007FF657093427, 00007FF6570934B9
Failed to format variable string., xrefs: 00007FF6570933B4
Directory search: %ls, did not find path: %ls, xrefs: 00007FF657093460

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: Directory search: %ls, did not find path: %ls$Directory search: %ls, failed get to directory attributes. '%ls'$Directory search: %ls, found file at path: %ls$Failed to format variable string.$Failed to set variable.$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 1799206407-98901924
Opcode ID: e2287faf52cfcd9a4b05c1ad5e7f6265a16d6bd957921b3355e12b5bd84e01de
Instruction ID: 0248e71f1a0d60c30d1ca9f0a1b9044d712994d81f510637165266c2751ca788
Opcode Fuzzy Hash: e2287faf52cfcd9a4b05c1ad5e7f6265a16d6bd957921b3355e12b5bd84e01de
Instruction Fuzzy Hash: CF41E5B1B18B5A82FB208F16E88076963E0EF58BA0F484135DA4DE3B95DF7CE559C740

Function 00007FF6570814AC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF6570814C6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF6570814D4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF65708153B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081552

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 00007FF6570814E8, 00007FF657081517
SetDefaultDllDirectories, xrefs: 00007FF657081531
Failed to get module handle for kernel32., xrefs: 00007FF65708150B
SetDllDirectoryW, xrefs: 00007FF657081541
kernel32, xrefs: 00007FF6570814BF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc$ErrorHandleLastModule
String ID: Failed to get module handle for kernel32.$SetDefaultDllDirectories$SetDllDirectoryW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp$kernel32
API String ID: 3392887714-1639946792
Opcode ID: 448f6d6d3fceaf8dddfeef816180ca98639cda4229b9d3adfdb510a3f0b884dc
Instruction ID: f3d6e7eef983d35eef99a2bf8c62defa9ee3b00fca65e92c4deeb5e8292d66f1
Opcode Fuzzy Hash: 448f6d6d3fceaf8dddfeef816180ca98639cda4229b9d3adfdb510a3f0b884dc
Instruction Fuzzy Hash: 5C112BE4B18B4A8AEB118F25E85427423E5BF58740F880139C90EE2364EF7CB25DC748

Function 00007FF6570A140C Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 183COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A14A8, 00007FF6570A153B, 00007FF6570A1579, 00007FF6570A15C0, 00007FF6570A1617, 00007FF6570A1664
Failed authenticode verification of payload: %ls, xrefs: 00007FF6570A1568
Failed to get provider state from authenticode certificate., xrefs: 00007FF6570A15E1
Aborted cache verify payload signature begin., xrefs: 00007FF6570A1497
Failed to get signer chain from authenticode certificate., xrefs: 00007FF6570A1638
Failed to verify expected payload against actual certificate chain., xrefs: 00007FF6570A1653
, xrefs: 00007FF6570A14CE
P, xrefs: 00007FF6570A14FB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: $Aborted cache verify payload signature begin.$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$P$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 0-3239389295
Opcode ID: 08dd8b6a2373310458455d9377b114611bb2719e7e8e543433c65bcdbe83985d
Instruction ID: 00446a1f4edc018c32fa67cac996cfaae3e08428efa31f861d0dfb2dfbef3534
Opcode Fuzzy Hash: 08dd8b6a2373310458455d9377b114611bb2719e7e8e543433c65bcdbe83985d
Instruction Fuzzy Hash: 4171A1A1B187598AF710CF66E8403AE27E5BB48794F880139DE4DE7B85DF3CD5098B44

Function 00007FF6570837B4 Relevance: 15.2, APIs: 4, Strings: 6, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF6570E7D05), ref: 00007FF657083852
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570E7D05), ref: 00007FF65708385F
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF6570E7D05), ref: 00007FF6570839A4
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570E7D05), ref: 00007FF6570839AE

Strings

failed to allocate string, len: %u, xrefs: 00007FF65708396A
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp, xrefs: 00007FF65708381F, 00007FF657083873, 00007FF6570838B0, 00007FF657083946, 00007FF6570839C2
failed to get required size for conversion to unicode: %s, xrefs: 00007FF657083893
Not enough memory to allocate string of size: %u, xrefs: 00007FF6570838FB
failed to convert to unicode: %s, xrefs: 00007FF6570839E2
failed to get size of destination string, xrefs: 00007FF657083800

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Not enough memory to allocate string of size: %u$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp$failed to allocate string, len: %u$failed to convert to unicode: %s$failed to get required size for conversion to unicode: %s$failed to get size of destination string
API String ID: 203985260-642716852
Opcode ID: da3039218adc81f24383304331035bda6c2f6f4b057e17fde15fc0ad0c03ca2e
Instruction ID: 42292db9c8c32814fc6458e9bd10b7d0fdb5280aa9b0deb890f8a8d10fc5ff2b
Opcode Fuzzy Hash: da3039218adc81f24383304331035bda6c2f6f4b057e17fde15fc0ad0c03ca2e
Instruction Fuzzy Hash: 7C61D561B18B4AC6EB20CF15E84066A77E4FB88B94F584235DA8DE3754EF3CE51AC704

Function 00007FF6570D1740 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 149COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570B847C), ref: 00007FF6570D1778
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570B847C), ref: 00007FF6570D1963

Strings

BA requested unknown container with id: %ls, xrefs: 00007FF6570D1840
BA requested unknown payload with id: %ls, xrefs: 00007FF6570D17CE
Engine is active, cannot change engine state., xrefs: 00007FF6570D1790
d:\a\wix4\wix4\src\burn\engine\externalengine.cpp, xrefs: 00007FF6570D17DF, 00007FF6570D1944
Failed to set download user., xrefs: 00007FF6570D18B5
Failed to set download password., xrefs: 00007FF6570D18E8
BA did not provide container or payload id., xrefs: 00007FF6570D1933
Failed to set download URL., xrefs: 00007FF6570D187F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: BA did not provide container or payload id.$BA requested unknown container with id: %ls$BA requested unknown payload with id: %ls$Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
API String ID: 3168844106-103459661
Opcode ID: b9ed0b6623a0e6e4547915c46f82a2eaee7a7dad5ce791c4c77751d412e331ac
Instruction ID: 9c5ba89b97f120dd2db758eed7f874d933417002e37517907e543b9ec339bcf6
Opcode Fuzzy Hash: b9ed0b6623a0e6e4547915c46f82a2eaee7a7dad5ce791c4c77751d412e331ac
Instruction Fuzzy Hash: E4519CA6B28B5B81FB219B11E4406BA63E6EF94B80F5E4031CD4DE7694DF3CE549C305

Function 00007FF6570AE684 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570998C8: CompareStringW.KERNEL32 ref: 00007FF657099915

CompareStringW.KERNEL32 ref: 00007FF6570AE7CD

Strings

Failed to read package id., xrefs: 00007FF6570AE6DB
Package '%ls' has no compatible package to clean., xrefs: 00007FF6570AE8A3
Failed to find package: %ls, xrefs: 00007FF6570AE758
Failed to remove from cache compatible package: %ls, xrefs: 00007FF6570AE80B
Failed to read compatible package id., xrefs: 00007FF6570AE726
Package '%ls' has no compatible package with id: %ls, xrefs: 00007FF6570AE864
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570AE6EC, 00007FF6570AE825, 00007FF6570AE841, 00007FF6570AE880, 00007FF6570AE8B9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to find package: %ls$Failed to read compatible package id.$Failed to read package id.$Failed to remove from cache compatible package: %ls$Package '%ls' has no compatible package to clean.$Package '%ls' has no compatible package with id: %ls$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
API String ID: 1825529933-529956491
Opcode ID: 34399d768df18e0d49aa43e9dfe992324759d8d24ea4854b3b500236194cfebf
Instruction ID: 7dd10f02c569e7e62ec01a99dc8f2d75629dbe24bd7a309aa24501d4c8dc517d
Opcode Fuzzy Hash: 34399d768df18e0d49aa43e9dfe992324759d8d24ea4854b3b500236194cfebf
Instruction Fuzzy Hash: 4361AC72B18B8A85EB208B51E8815AD73E4FB88794F580536DE4CE7B98DF3CE519C740

Function 00007FF6570F6194 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 153registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,?,00000000,?,00007FF6570A3FBB), ref: 00007FF6570F6380

Strings

Failed to open pending file rename registry key., xrefs: 00007FF6570F6200
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00007FF6570F61B9
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp, xrefs: 00007FF6570F6352
PendingFileRenameOperations, xrefs: 00007FF6570F6225, 00007FF6570F631F
Failed to read pending file renames., xrefs: 00007FF6570F624E
Failed to compare path from pending file rename to check path., xrefs: 00007FF6570F63A0
Failed to update pending file renames., xrefs: 00007FF6570F633B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to compare path from pending file rename to check path.$Failed to open pending file rename registry key.$Failed to read pending file renames.$Failed to update pending file renames.$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\file2utl.cpp
API String ID: 3535843008-1055086927
Opcode ID: 8a31e4e7bb34dc1cd83b7cf9048de4f798601f10815143cb8e07e02f0481c142
Instruction ID: 746a7561115624982c11cf5ccdd874ae7dae3b46e51f72b7d34766c17bfee6ed
Opcode Fuzzy Hash: 8a31e4e7bb34dc1cd83b7cf9048de4f798601f10815143cb8e07e02f0481c142
Instruction Fuzzy Hash: CC51B0A6B08A4A96EB209F55D8405BD27A5FF44798F1C0132EE0DE3794CF3AE45DC744

Function 00007FF6570BB658 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 150registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,00000000,00000000,?,?,?,?,00007FF6570BB964,?,?,?,?,?,?,?,00007FF6570A84DA), ref: 00007FF6570BB851

Strings

Failed to open registry key: %ls., xrefs: 00007FF6570BB710
Failed to read QuietUninstallString., xrefs: 00007FF6570BB81B
d:\a\wix4\wix4\src\burn\engine\exeengine.cpp, xrefs: 00007FF6570BB6FF, 00007FF6570BB82C
QuietUninstallString, xrefs: 00007FF6570BB7FA
Failed to compare versions., xrefs: 00007FF6570BB7C5
DisplayVersion, xrefs: 00007FF6570BB746
Failed to read DisplayVersion., xrefs: 00007FF6570BB76F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: DisplayVersion$Failed to compare versions.$Failed to open registry key: %ls.$Failed to read DisplayVersion.$Failed to read QuietUninstallString.$QuietUninstallString$d:\a\wix4\wix4\src\burn\engine\exeengine.cpp
API String ID: 3535843008-915021512
Opcode ID: ac021f0d4ad47cbd35175f7e37a5cf47a107297fef55f15788c3b23784f1e375
Instruction ID: 972052c00402ae7531e7cf0a4b32b3d1f2b3c7c9c749becc866468897d23c6c8
Opcode Fuzzy Hash: ac021f0d4ad47cbd35175f7e37a5cf47a107297fef55f15788c3b23784f1e375
Instruction Fuzzy Hash: C8516BB2A0864A8AEB20DF55D8806BD23A4FF44798F584135DE1DE7B95DF3DE949C300

Function 00007FF65708F718 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 149COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF65708F901

Strings

d:\a\wix4\wix4\src\burn\engine\condition.cpp, xrefs: 00007FF65708F76B, 00007FF65708F7BA, 00007FF65708F7F3, 00007FF65708F836, 00007FF65708F865, 00007FF65708F8A7, 00007FF65708F92E
Failed to find variable., xrefs: 00007FF65708F7CB
Failed to read next symbol., xrefs: 00007FF65708F91D
Failed to format variable '%ls' for condition '%ls', xrefs: 00007FF65708F859
Failed to parse condition '%ls' at position: %u, xrefs: 00007FF65708F78C
Failed to get if variable is hidden., xrefs: 00007FF65708F804
Failed to store formatted value for variable '%ls' for condition '%ls', xrefs: 00007FF65708F8CA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Failed to find variable.$Failed to format variable '%ls' for condition '%ls'$Failed to get if variable is hidden.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$Failed to store formatted value for variable '%ls' for condition '%ls'$d:\a\wix4\wix4\src\burn\engine\condition.cpp
API String ID: 3215553584-164709811
Opcode ID: 1fdbb18b1e99bb94b29e364002afcf10c44d5f7b1fe3c45bdbae2cbbdf7d2e1a
Instruction ID: 21bd8de660d481984681f12748b27143473b388d4002017f2217a3cf2b8c6551
Opcode Fuzzy Hash: 1fdbb18b1e99bb94b29e364002afcf10c44d5f7b1fe3c45bdbae2cbbdf7d2e1a
Instruction Fuzzy Hash: 2F6173B1B18B5AC2EB109B65D48026A73E0FB48790F484136DA4DE3B96DF3CF569C740

Function 00007FF6570A579C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 148COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570A589F

Part of subcall function 00007FF65708C6C4: EnterCriticalSection.KERNEL32 ref: 00007FF65708C6E6
Part of subcall function 00007FF65708C6C4: LeaveCriticalSection.KERNEL32 ref: 00007FF65708C775

CompareStringW.KERNEL32 ref: 00007FF6570A590D

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A595C
Failed to trim source folder., xrefs: 00007FF6570A58C4
Failed to determine length of relative path., xrefs: 00007FF6570A5866
WixBundleLastUsedSource, xrefs: 00007FF6570A58DD, 00007FF6570A592E
Failed to determine length of source path., xrefs: 00007FF6570A5817
Failed to set last source., xrefs: 00007FF6570A594B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareCriticalSectionString$EnterLeave
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 1408779843-3313679279
Opcode ID: d80546b3a50a9189c6e3d5ee172a5ebb3de63259478a59f8194fa4c749a4eb7c
Instruction ID: 22d4daf5c7d9adc457b3b7dfd50125dced9228a2c5d3da844daf587cff5af59c
Opcode Fuzzy Hash: d80546b3a50a9189c6e3d5ee172a5ebb3de63259478a59f8194fa4c749a4eb7c
Instruction Fuzzy Hash: DC51D3B1B08B4B82EB208B56E4405BA66D1BF847E0F5C4235D95DFBBA4DF3CE6488700

Function 00007FF6570CB480 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570CB524
_cwprintf_s_l.LIBCMT ref: 00007FF6570CB552
_cwprintf_s_l.LIBCMT ref: 00007FF6570CB580

Strings

Verification failed on container: %ls, xrefs: 00007FF6570CB51D
Verification failed on payload: %ls, xrefs: 00007FF6570CB579
Verification failed on payload group item: %ls, xrefs: 00007FF6570CB548
Verification failed on unknown item, xrefs: 00007FF6570CB595

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: Verification failed on container: %ls$Verification failed on payload group item: %ls$Verification failed on payload: %ls$Verification failed on unknown item
API String ID: 2941638530-3108875620
Opcode ID: e5c5d43e2a60a3478df85ace7e2cc9d028fe75ab9ce8f4e41d72fb322722f553
Instruction ID: fb1c3a1e53bdaa161117c842ba2d351931824efa563d84378e84e43be69b28af
Opcode Fuzzy Hash: e5c5d43e2a60a3478df85ace7e2cc9d028fe75ab9ce8f4e41d72fb322722f553
Instruction Fuzzy Hash: 1B4143F290864981EB24AF26D194279B7E4EB45B89F1D4036CB0DEB395CF6DDC48C750

Function 00007FF6570E910C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00007FF6570E91F3
GetLastError.KERNEL32 ref: 00007FF6570E91FD
CloseHandle.KERNEL32 ref: 00007FF6570E9279
CloseHandle.KERNEL32 ref: 00007FF6570E928D

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E918D, 00007FF6570E9211, 00007FF6570E9235
Failed to allocate full command-line., xrefs: 00007FF6570E9181
"%ls" %ls, xrefs: 00007FF6570E9165
Failed to create process: %ls, xrefs: 00007FF6570E9247

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$Failed to allocate full command-line.$Failed to create process: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 161867955-574850417
Opcode ID: bf3f04070760b52da87ffb570d4b5bfb6d777464a8717cc438b9f559b0254a56
Instruction ID: 4831e9df036649becf0776b5d7fb668a70874ddd4c14a61910a09a30827262ad
Opcode Fuzzy Hash: bf3f04070760b52da87ffb570d4b5bfb6d777464a8717cc438b9f559b0254a56
Instruction Fuzzy Hash: B3516E72B18B4A8AEB208F61D4807A933E5EB44748F580139DE4DE7A54DF3CD519C744

Function 00007FF6570AA934 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF6570AAA04
GetLastError.KERNEL32 ref: 00007FF6570AAA3A

Strings

Failed to cache engine to working directory., xrefs: 00007FF6570AAA29
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570AAA4E, 00007FF6570AAA8A, 00007FF6570AAAC5
Failed to actually elevate., xrefs: 00007FF6570AAAB4
Failed to create unelevated logging thread., xrefs: 00007FF6570AAA6E
WixBundleElevated, xrefs: 00007FF6570AA9D5, 00007FF6570AAA79
Failed to overwrite the %ls built-in variable., xrefs: 00007FF6570AAA91

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: Failed to actually elevate.$Failed to cache engine to working directory.$Failed to create unelevated logging thread.$Failed to overwrite the %ls built-in variable.$WixBundleElevated$d:\a\wix4\wix4\src\burn\engine\core.cpp
API String ID: 1689873465-937186276
Opcode ID: 989001d9cd542178439b8a18da00df32baf7a9c0f2142518d3b5cbeeae2207ba
Instruction ID: f42d45de8bd1b84dbe9a539bbdb19e1c9d31dbaeb6ba293cfa5c1704cbcfe77d
Opcode Fuzzy Hash: 989001d9cd542178439b8a18da00df32baf7a9c0f2142518d3b5cbeeae2207ba
Instruction Fuzzy Hash: CA41F3B1B08B5A96EB20CB11E4807AA63D0FB547A4F480235DA5DE3BD4DF7CE659C740

Function 00007FF65708624C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON

Download Yara Rule

APIs

GetVolumePathNameW.KERNEL32 ref: 00007FF6570862B1
GetLastError.KERNEL32 ref: 00007FF6570862BB

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp, xrefs: 00007FF65708632D, 00007FF65708639F, 00007FF6570863C4
Failed to terminate volume path name with backslash., xrefs: 00007FF657086316
Failed to allocate space for volume path name., xrefs: 00007FF65708636F
Failed to get max length of input buffer., xrefs: 00007FF657086285
Failed to get volume path name of: %ls, xrefs: 00007FF6570863B6
Failed to re-allocate more space for volume path name., xrefs: 00007FF65708637D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLastNamePathVolume
String ID: Failed to allocate space for volume path name.$Failed to get max length of input buffer.$Failed to get volume path name of: %ls$Failed to re-allocate more space for volume path name.$Failed to terminate volume path name with backslash.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\pathutil.cpp
API String ID: 836773004-3870598061
Opcode ID: 111ae56f78872d22bdadff5a5081fc48684e45e9a0027fa682dcb12ef0333480
Instruction ID: b350754ad659881747a00a05dd07d8473c5f1856a944bbc80d837e2dc1ece07b
Opcode Fuzzy Hash: 111ae56f78872d22bdadff5a5081fc48684e45e9a0027fa682dcb12ef0333480
Instruction Fuzzy Hash: 4641F9A1B08B4B86FB10DF25D49027A63D0AF84790F5D4135DE0EE7792EE3CE9598744

Function 00007FF6570EE814 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6570EE83F
VariantInit.OLEAUT32 ref: 00007FF6570EE84C
VariantClear.OLEAUT32 ref: 00007FF6570EE95A
SysFreeString.OLEAUT32 ref: 00007FF6570EE968

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EE881, 00007FF6570EE8D6
failed get_nodeValue in XmlGetAttribute(%ls), xrefs: 00007FF6570EE907
failed getNamedItem in XmlGetAttribute(%ls), xrefs: 00007FF6570EE8BA
failed get_attributes, xrefs: 00007FF6570EE875

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed getNamedItem in XmlGetAttribute(%ls)$failed get_attributes$failed get_nodeValue in XmlGetAttribute(%ls)
API String ID: 760788290-1291303398
Opcode ID: 04b908322ec78d3d9644c64800fdb29fe662aa3cdc8df159d978eb656784be6c
Instruction ID: c379bca60de19c49565e4e1347dae61d89d527a9a82ec4e854d3547001d9ea3e
Opcode Fuzzy Hash: 04b908322ec78d3d9644c64800fdb29fe662aa3cdc8df159d978eb656784be6c
Instruction Fuzzy Hash: 8E412166B09B4E95FB508F21E8842A823A0FB58B98F484131DE4DE7768DF3DE54AC344

Function 00007FF6570D352C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6570D3558
ReleaseMutex.KERNEL32 ref: 00007FF6570D3574
WaitForSingleObject.KERNEL32 ref: 00007FF6570D35C2
ReleaseMutex.KERNEL32 ref: 00007FF6570D35E0
SetEvent.KERNEL32 ref: 00007FF6570D35EA

Strings

Failed to send files in use message from netfx chainer., xrefs: 00007FF6570D363C
d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00007FF6570D364D
Failed to get message from netfx chainer., xrefs: 00007FF6570D360E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
API String ID: 2608678126-3113603724
Opcode ID: 7360c2685d6a1c5e619b77fc17da6f1d68f25e6ceaba4a394f00c60c14702ca6
Instruction ID: 2a8b9ebcdc8ea6c85582e29b1e3ffa0e5e4d5f70d1a78af226016ca6f8dfc488
Opcode Fuzzy Hash: 7360c2685d6a1c5e619b77fc17da6f1d68f25e6ceaba4a394f00c60c14702ca6
Instruction Fuzzy Hash: 0F41B2B2A04A4586EB109B66D8507B967A0FB44B98F084135DE4EE7B95CF3CE189C704

Function 00007FF6570934F4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65709355F
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65709356A

Strings

Failed to set directory search path variable., xrefs: 00007FF6570935A3
Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00007FF657093609
Failed while searching directory search: %ls, for path: %ls, xrefs: 00007FF6570935EE
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF657093539, 00007FF6570935C9
Failed to format variable string., xrefs: 00007FF657093528

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 1799206407-3779749482
Opcode ID: 1090c286c10424d5050651fb8cfff8493fd4ae2110632084a746dc025d3ad9bd
Instruction ID: 65ab9e4af8b3ce2d28531573dd658b931ee6e3a05ac4d6e9ed8074d47c1d497f
Opcode Fuzzy Hash: 1090c286c10424d5050651fb8cfff8493fd4ae2110632084a746dc025d3ad9bd
Instruction Fuzzy Hash: BB31E7B1B0CB4682E7108F56E48036AB7A0FB58BA4F584235DA4DD3794DF7CE558CB00

Function 00007FF6570B769C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 82threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570817DC: WaitForMultipleObjects.KERNEL32(?,?,?,?,?,?,?,00007FF6570B76DD), ref: 00007FF6570817EA

GetExitCodeThread.KERNEL32 ref: 00007FF6570B772E
GetLastError.KERNEL32 ref: 00007FF6570B773C
ResetEvent.KERNEL32 ref: 00007FF6570B7783
GetLastError.KERNEL32 ref: 00007FF6570B778D

Strings

Failed to reset operation complete event., xrefs: 00007FF6570B77C7
d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B7705, 00007FF6570B7752, 00007FF6570B77A3
Failed to get extraction thread exit code., xrefs: 00007FF6570B7776
Failed to wait for operation complete event., xrefs: 00007FF6570B76E4

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 2979751695-3676338304
Opcode ID: b0f0e19d2aeef80889ef2fdce9b50f6dd2143cceb1ca970ca2d039745b42c2e3
Instruction ID: e8e30846dc9ed672fa0666d8acd0b1a4cb125370f74c1695b793cd818490568f
Opcode Fuzzy Hash: b0f0e19d2aeef80889ef2fdce9b50f6dd2143cceb1ca970ca2d039745b42c2e3
Instruction Fuzzy Hash: 853190B1B1861A8EEB60CF29E840BB923E4FB14758F481535D90DD7A94DF38E618CB44

Function 00007FF6570937B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65709381F
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65709382A

Strings

Failed while searching file search: %ls, for path: %ls, xrefs: 00007FF65709387A
Failed to set variable to file search path., xrefs: 00007FF6570938B4
File search: %ls, did not find path: %ls, xrefs: 00007FF6570938C9
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF6570937F9, 00007FF657093855
Failed to format variable string., xrefs: 00007FF6570937E8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 1799206407-4254414841
Opcode ID: a41bb36d4f9d47d8d6df555aba33d6efb8da0cdc15a220fbd95cfc4a37b9ecb4
Instruction ID: 4ab64d2d26830859e48029cbe94e6de014fa9783b8a177891f38aea125a35bb2
Opcode Fuzzy Hash: a41bb36d4f9d47d8d6df555aba33d6efb8da0cdc15a220fbd95cfc4a37b9ecb4
Instruction Fuzzy Hash: 0C31B6B1B08B4A86EB109F52E4803BAB3A0FB58BA4F484136DA4DE3795DF7CE555C700

Function 00007FF6570B77F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF6570B7814
GetLastError.KERNEL32 ref: 00007FF6570B781E
CloseHandle.KERNEL32 ref: 00007FF6570B78A6
CloseHandle.KERNEL32 ref: 00007FF6570B78BA
CloseHandle.KERNEL32 ref: 00007FF6570B78CE

Strings

d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B7832, 00007FF6570B7881
Failed to wait for thread to terminate., xrefs: 00007FF6570B7870
Failed to set begin operation event., xrefs: 00007FF6570B7850

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$ErrorEventLast
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 477349713-3622178965
Opcode ID: ae98eeaf17bd63a620f04e4ae34fc813bbf68f8450895fb3336af60218ff17c0
Instruction ID: fb7bf397d95b823e9c9c7ed610bec8d4e00d67974952e602c1bf2391931cbc1d
Opcode Fuzzy Hash: ae98eeaf17bd63a620f04e4ae34fc813bbf68f8450895fb3336af60218ff17c0
Instruction Fuzzy Hash: F53181A2B19A4A85FB619F25E85037923E4EF84F54F1D1236C90EEB6A4CF3CE549C304

Function 00007FF6570FD330 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 168COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?), ref: 00007FF6570FD434

Strings

h, xrefs: 00007FF6570FD3A1
Failed to copy password., xrefs: 00007FF6570FD50A
Failed to crack URI., xrefs: 00007FF6570FD468
Failed to copy user name., xrefs: 00007FF6570FD4E0
Failed to copy path., xrefs: 00007FF6570FD533
Failed to copy host name., xrefs: 00007FF6570FD4A0
Failed to copy query string., xrefs: 00007FF6570FD55C
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\uriutil.cpp, xrefs: 00007FF6570FD448, 00007FF6570FD573

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to copy host name.$Failed to copy password.$Failed to copy path.$Failed to copy query string.$Failed to copy user name.$Failed to crack URI.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\uriutil.cpp$h
API String ID: 1452528299-3434687612
Opcode ID: cea0aa5efc1f7c9e1bb249afe66edd9a36e630d0e36dcb0b65151b22cc02fe36
Instruction ID: 59a783c66b909e1cb95b0e55f54c0389b155b8b02d0970598bf310e0f0fed1bf
Opcode Fuzzy Hash: cea0aa5efc1f7c9e1bb249afe66edd9a36e630d0e36dcb0b65151b22cc02fe36
Instruction Fuzzy Hash: 50618362B18B668AFB21DB26D8502A977E4FB44798F580035DE4CE7B58DF3CE44AC704

Function 00007FF6570EB744 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 141stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,00000001,00000000,?,BundleUpgradeCode,?,00007FF65709D5F2), ref: 00007FF6570EB78C
lstrlenW.KERNEL32(?,?,00000000,?,00000001,00000000,?,BundleUpgradeCode,?,00007FF65709D5F2), ref: 00007FF6570EB82F

Strings

Failed to get total string size in bytes, xrefs: 00007FF6570EB868
BundleUpgradeCode, xrefs: 00007FF6570EB754
DWORD Overflow while adding length of string to write REG_MULTI_SZ, xrefs: 00007FF6570EB7D3
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EB7F5, 00007FF6570EB8C3, 00007FF6570EB907
failed to copy string: %ls, xrefs: 00007FF6570EB87D
Failed to set registry value to array of strings (first string of which is): %ls, xrefs: 00007FF6570EB8EE
Failed to allocate space for string while writing REG_MULTI_SZ, xrefs: 00007FF6570EB7BC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: lstrlen
String ID: BundleUpgradeCode$DWORD Overflow while adding length of string to write REG_MULTI_SZ$Failed to allocate space for string while writing REG_MULTI_SZ$Failed to get total string size in bytes$Failed to set registry value to array of strings (first string of which is): %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp$failed to copy string: %ls
API String ID: 1659193697-1095722736
Opcode ID: 0c8db8c1d647daee6811db65f8cc7edb9aa30ff69f730cd52d0868e6cbdf8dc4
Instruction ID: e82d78bfa1828800bf1ba3cab2a3b963300fd627c71ade77c2c7b10378489c1a
Opcode Fuzzy Hash: 0c8db8c1d647daee6811db65f8cc7edb9aa30ff69f730cd52d0868e6cbdf8dc4
Instruction Fuzzy Hash: B551C572B1864A86EB20DB16E88067A73E5FB84784F580135DE4DE7B94DF3CE54AC704

Function 00007FF65709BE54 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570879E8: CreateDirectoryW.KERNELBASE ref: 00007FF657087A0C
Part of subcall function 00007FF6570879E8: GetLastError.KERNEL32 ref: 00007FF657087A1A

lstrlenA.KERNEL32(?,?,00000000,?,?,UninstallString,?,00007FF65709DCCE,?,?,?,?,?,?,?,00000001), ref: 00007FF65709BEF9

Part of subcall function 00007FF6570F34C4: CreateFileW.KERNEL32 ref: 00007FF6570F34FC
Part of subcall function 00007FF6570F34C4: GetLastError.KERNEL32 ref: 00007FF6570F350B

Strings

UninstallString, xrefs: 00007FF65709BE5A
Failed to format tag folder path., xrefs: 00007FF65709BF9C
Failed to allocate regid folder path., xrefs: 00007FF65709BF8E
Failed to create regid folder: %ls, xrefs: 00007FF65709BF56
Failed to write tag xml to file: %ls, xrefs: 00007FF65709BF3F
Failed to allocate regid file path., xrefs: 00007FF65709BF80
swidtag, xrefs: 00007FF65709BEB4
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709BF62, 00007FF65709BFAD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFilelstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$UninstallString$d:\a\wix4\wix4\src\burn\engine\registration.cpp$swidtag
API String ID: 583680227-3963219723
Opcode ID: 5eee227d26c5bbc2545bbe0743be1ea8469addc0a4c3c9764afd91f31d42a23d
Instruction ID: d366f2b80d66d087ddffad22d8cc9836789c9f9b0275e44735629bbbee795db7
Opcode Fuzzy Hash: 5eee227d26c5bbc2545bbe0743be1ea8469addc0a4c3c9764afd91f31d42a23d
Instruction Fuzzy Hash: D841B766B08A4AC6EB20DF61D8902BA27A0FF847D4F5C0135EA4EE7795DF3CE4498740

Function 00007FF65708C44C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF65708C470

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C55D
Failed to copy string., xrefs: 00007FF65708C54C
Failed to format escape sequence., xrefs: 00007FF65708C528
[\%c], xrefs: 00007FF65708C4D7
Failed to allocate buffer for escaped string., xrefs: 00007FF65708C48B
Failed to append characters., xrefs: 00007FF65708C50C
Failed to append escape sequence., xrefs: 00007FF65708C51A
[]{}, xrefs: 00007FF65708C49C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 1659193697-948137518
Opcode ID: f181f5cfda94b82798c557f91287248f53b5dd61664764472d4e82c33d666d9d
Instruction ID: 6e29e0e1f1b54ea2236c2ffaf0e4114b4d2f0b75232f4e2185adbdee345b5a82
Opcode Fuzzy Hash: f181f5cfda94b82798c557f91287248f53b5dd61664764472d4e82c33d666d9d
Instruction Fuzzy Hash: FE419EA1B0CB4B82FE21DB15E49027A67A1EF89790F8C0135DA4DE7B95EF3CE5498700

Function 00007FF6570D6790 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6570D67ED

Part of subcall function 00007FF6570D7700: __GetUnwindTryBlock.LIBCMT ref: 00007FF6570D7743
Part of subcall function 00007FF6570D7700: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6570D7768

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6570D68C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6570D6B1A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6570D6C26

Strings

csm, xrefs: 00007FF6570D68E8
csm, xrefs: 00007FF6570D686E
csm, xrefs: 00007FF6570D6807

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 4a126f0858004de00b91a77098e1360e43e4923f3ec0f1a8572f5c416e274b5d
Instruction ID: 55edfe519c4faa4032f66e8f826e9e478c660af05a7ebad4766e7b98e3a80aaa
Opcode Fuzzy Hash: 4a126f0858004de00b91a77098e1360e43e4923f3ec0f1a8572f5c416e274b5d
Instruction Fuzzy Hash: 4CE17FB2A087498AEB209F65D4402BD7BE4FB45798F085535EE8DE7B55DF38E088CB04

Function 00007FF6570C24EC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570C2599

Strings

Failed to plan action for target product., xrefs: 00007FF6570C263F
Failed to get msp ui options., xrefs: 00007FF6570C2743
Failed to grow array of ordered patches., xrefs: 00007FF6570C27AC
d:\a\wix4\wix4\src\burn\engine\mspengine.cpp, xrefs: 00007FF6570C2650
Failed to copy target product code., xrefs: 00007FF6570C26E4
Failed to insert execute action., xrefs: 00007FF6570C25FC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy target product code.$Failed to get msp ui options.$Failed to grow array of ordered patches.$Failed to insert execute action.$Failed to plan action for target product.$d:\a\wix4\wix4\src\burn\engine\mspengine.cpp
API String ID: 1825529933-3199010431
Opcode ID: 006059620466686e38a7c9fd1d41e2364172babfd58cf0fbdff7f952d8eb9982
Instruction ID: 234bccef2c1830c1c2a1a3588cec3049630e9ccc0556df38f33bd079649663c8
Opcode Fuzzy Hash: 006059620466686e38a7c9fd1d41e2364172babfd58cf0fbdff7f952d8eb9982
Instruction Fuzzy Hash: 87A1ABB2B04B5A86EB10CF65D480AAD77A8FB48B98F054536DE4DE7B94DF38D448C710

Function 00007FF6570B9F90 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 143COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570B9FEA

Strings

d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp, xrefs: 00007FF6570BA04B, 00007FF6570BA132, 00007FF6570BA15F
Failed to read version from registry for related bundle package: %ls, xrefs: 00007FF6570BA035
Failed to compare related bundle package version: %ls, xrefs: 00007FF6570BA0D7
Failed to parse related bundle package version: %ls, xrefs: 00007FF6570BA088
BundleVersion, xrefs: 00007FF6570BA016
BA aborted detect related BUNDLE package., xrefs: 00007FF6570BA143

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect related BUNDLE package.$BundleVersion$Failed to compare related bundle package version: %ls$Failed to parse related bundle package version: %ls$Failed to read version from registry for related bundle package: %ls$d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp
API String ID: 1825529933-91615274
Opcode ID: cb528ebc121b0a8c01e5ef6247dbb88559ba51381a21d680fdfffc3dfeaa80cf
Instruction ID: e204d316749b574abc9da70c085dd54dee58ff1bf07cbc7516500ceb7462ee5e
Opcode Fuzzy Hash: cb528ebc121b0a8c01e5ef6247dbb88559ba51381a21d680fdfffc3dfeaa80cf
Instruction Fuzzy Hash: A951D5B2A18A4AC6EB20CF25D4402AE33E5FB88798F184136EA4DD7B55DF3DE545C740

Function 00007FF6570F532C Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 132registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F4AE4: lstrlenW.KERNEL32(?,?,?,?,?,00007FF6570F51B3,?,?,?,?,?,?,?,?,?,00007FF6570A6BDE), ref: 00007FF6570F4B23

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000000,00000000,00007FF6570A6EF8), ref: 00007FF6570F550A

Strings

Failed to set the %ls registry value to %d., xrefs: 00007FF6570F54DB
Failed to create the dependency registry key "%ls"., xrefs: 00007FF6570F53EE
default, xrefs: 00007FF6570F5414
Failed to allocate the registry key for dependency "%ls"., xrefs: 00007FF6570F5378
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00007FF6570F538F, 00007FF6570F54ED
Failed to set the %ls registry value to "%ls"., xrefs: 00007FF6570F542A, 00007FF6570F5465, 00007FF6570F549D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Closelstrlen
String ID: Failed to allocate the registry key for dependency "%ls".$Failed to create the dependency registry key "%ls".$Failed to set the %ls registry value to "%ls".$Failed to set the %ls registry value to %d.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp$default
API String ID: 3903209405-1837950187
Opcode ID: b3908cdabd743303d6dbad002227988a35cc7fc4f003525a060f620f80bd6864
Instruction ID: 3418ffa6a88fd84cac11ee2c7b3060843e32fd2697fb1da0e30981070d792c40
Opcode Fuzzy Hash: b3908cdabd743303d6dbad002227988a35cc7fc4f003525a060f620f80bd6864
Instruction Fuzzy Hash: C0517F72B18B4A86EB208B12E8807AA73F4FB44784F180535EE4DE7B59DF3CE4458740

Function 00007FF6570E0900 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6570E0AE4,?,?,00000000,00007FF6570DFD27,?,?,?,00007FF6570DB769), ref: 00007FF6570E0A7C
GetProcAddress.KERNEL32(?,?,?,00007FF6570E0AE4,?,?,00000000,00007FF6570DFD27,?,?,?,00007FF6570DB769), ref: 00007FF6570E0A88

Strings

api-ms-, xrefs: 00007FF6570E09C6
ext-ms-, xrefs: 00007FF6570E09D9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 9729d33b41587ab7f35ee08c5b2844b24fe1ad7c971b0a8f095eaffae6c23831
Instruction ID: bbeb85d4811140ca8640024dbeb9f698fe4ca0900c023d04dd6c3753bc1e0bba
Opcode Fuzzy Hash: 9729d33b41587ab7f35ee08c5b2844b24fe1ad7c971b0a8f095eaffae6c23831
Instruction Fuzzy Hash: 5B41D5A2B19A4F82FA66CB26AC0057623D1BF45BA0F1C4139DD1DEB795EE3CE5498310

Function 00007FF6570F2528 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(?,?,?,?,?,?,?,00007FF6570F2732), ref: 00007FF6570F256E
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570F2732), ref: 00007FF6570F257C
MoveFileExW.KERNEL32(?,?,?,?,?,?,?,00007FF6570F2732), ref: 00007FF6570F2657
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570F2732), ref: 00007FF6570F2661

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F2628, 00007FF6570F267E
failed to create directory while moving file: '%ls' to: '%ls', xrefs: 00007FF6570F2617
failed to move file: '%ls' to: '%ls', xrefs: 00007FF6570F268F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to create directory while moving file: '%ls' to: '%ls'$failed to move file: '%ls' to: '%ls'
API String ID: 55378915-4053860161
Opcode ID: 6c4a27557705df402d0dd7d67f60055d13dfcfda9cb0b851866f681bd73868ca
Instruction ID: 0da93bc3378b0cc6e0fcb9eaec3bacd60387e48d8bee0ae0b5f938ef65570334
Opcode Fuzzy Hash: 6c4a27557705df402d0dd7d67f60055d13dfcfda9cb0b851866f681bd73868ca
Instruction Fuzzy Hash: EC41CDA1B1874A82FB609B169840A3D63D1AF88BD0F1C4035DE4EE3794DE3CE859CB08

Function 00007FF6570F5178 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 117registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F4AE4: lstrlenW.KERNEL32(?,?,?,?,?,00007FF6570F51B3,?,?,?,?,?,?,?,?,?,00007FF6570A6BDE), ref: 00007FF6570F4B23

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6570A6BDE,?,?,?,?,?,00007FF6570A681A), ref: 00007FF6570F52F4

Strings

Failed to open the registry key for the dependency "%ls"., xrefs: 00007FF6570F51FE
Failed to get the name for the dependency "%ls"., xrefs: 00007FF6570F527C
Failed to get the id for the dependency "%ls"., xrefs: 00007FF6570F5243
Failed to allocate the registry key for dependency "%ls"., xrefs: 00007FF6570F51B9
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp, xrefs: 00007FF6570F52D6
Failed to get the version for the dependency "%ls"., xrefs: 00007FF6570F52BA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Closelstrlen
String ID: Failed to allocate the registry key for dependency "%ls".$Failed to get the id for the dependency "%ls".$Failed to get the name for the dependency "%ls".$Failed to get the version for the dependency "%ls".$Failed to open the registry key for the dependency "%ls".$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\deputil.cpp
API String ID: 3903209405-4075874421
Opcode ID: 3bb1e8b4410e277c7d05c4e48e9c1a6479f0067b10255a7b6e57f7892f59e7e1
Instruction ID: 52eb2670361521e7d71e769c35d1b45c25b9a2a10a827f9e3e6d20ccefd2e048
Opcode Fuzzy Hash: 3bb1e8b4410e277c7d05c4e48e9c1a6479f0067b10255a7b6e57f7892f59e7e1
Instruction Fuzzy Hash: 9241B3A1B08B4E86EB608B52E8C017A62E4FF99B90F1C4531DE1DE7B55DF3DE8498704

Function 00007FF65708232C Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 111COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp, xrefs: 00007FF6570823C8, 00007FF6570823F4, 00007FF657082424, 00007FF657082470, 00007FF6570824A4
Source string is too long: %Iu, xrefs: 00007FF657082413
Failed to allocate a copy of the source string., xrefs: 00007FF65708235F
Failed to convert the string case., xrefs: 00007FF657082490
Failed to get the length of the string., xrefs: 00007FF6570823D9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Failed to allocate a copy of the source string.$Failed to convert the string case.$Failed to get the length of the string.$Source string is too long: %Iu$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp
API String ID: 0-2897498883
Opcode ID: 6af81e918d7376661143e580a6c107a6a87637f6b25fbe547b864396dbf8c8cd
Instruction ID: 12ca45761a66a5ab08524fb86bf346e31a412dcd7f02bbc2a96772d24f5d6198
Opcode Fuzzy Hash: 6af81e918d7376661143e580a6c107a6a87637f6b25fbe547b864396dbf8c8cd
Instruction Fuzzy Hash: 7141E5A1B1874AC6EB208B51E88057A73E1AF94BA0F5C0139C90DE7B91EF3CE518C704

Function 00007FF6570B9224 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 107registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00007FF6570B9567), ref: 00007FF6570B9392

Strings

Failed to open registry key: %ls., xrefs: 00007FF6570B9307
d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp, xrefs: 00007FF6570B92F6, 00007FF6570B936C
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00007FF6570B928D
Failed to build full key path., xrefs: 00007FF6570B92A2
Failed to read QuietUninstallString., xrefs: 00007FF6570B935B
QuietUninstallString, xrefs: 00007FF6570B9333

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to build full key path.$Failed to open registry key: %ls.$Failed to read QuietUninstallString.$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$d:\a\wix4\wix4\src\burn\engine\bundlepackageengine.cpp
API String ID: 3535843008-1706903631
Opcode ID: 2b9439b3b14b78849ad5d48e88a30c2fe6a3e6a89a1afee7eaad107850a8e180
Instruction ID: 20602fd18b4948aea8c019e3707a238241d1e040b5b9250bbce522d04b691679
Opcode Fuzzy Hash: 2b9439b3b14b78849ad5d48e88a30c2fe6a3e6a89a1afee7eaad107850a8e180
Instruction Fuzzy Hash: C041ACB2B19B4AC6EB208F51E4806A933A4FB88794F590135DE5DE7791DF3CE64AC700

Function 00007FF6570F21F4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,?,-00000002,00000000,00000000,00007FF6570F23BB), ref: 00007FF6570F2229
GetLastError.KERNEL32(?,?,?,?,-00000002,00000000,00000000,00007FF6570F23BB), ref: 00007FF6570F2237
CopyFileW.KERNEL32(?,?,?,?,-00000002,00000000,00000000,00007FF6570F23BB), ref: 00007FF6570F22F1
GetLastError.KERNEL32(?,?,?,?,-00000002,00000000,00000000,00007FF6570F23BB), ref: 00007FF6570F22FB

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F22C2, 00007FF6570F2318
failed to create directory while copying file: '%ls' to: '%ls', xrefs: 00007FF6570F22B1
failed to copy file: '%ls' to: '%ls', xrefs: 00007FF6570F2329

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp$failed to copy file: '%ls' to: '%ls'$failed to create directory while copying file: '%ls' to: '%ls'
API String ID: 374144340-3418930266
Opcode ID: a7b63d5db7519201cbb653cb4c980c1eef6e8ee8f073aa7e1b0e76553facb045
Instruction ID: ed7e1d65209017b7aeaeb1462f1d874b1d0cb460eef8a2a0bb5b591e37ec9242
Opcode Fuzzy Hash: a7b63d5db7519201cbb653cb4c980c1eef6e8ee8f073aa7e1b0e76553facb045
Instruction Fuzzy Hash: CC418FE1B0875A82EB609B66988063D73D4AF44B90F584535DE4DE37A4EF3CE849C708

Function 00007FF6570A6378 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 100COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570A6487

Strings

Failed to add "%ls" to the list of dependencies to ignore., xrefs: 00007FF6570A64AD
Failed to add "%ls" to the string dictionary., xrefs: 00007FF6570A649F
Failed to check the dictionary of unique dependencies., xrefs: 00007FF6570A642C
ALL, xrefs: 00007FF6570A6471
d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 00007FF6570A63CE, 00007FF6570A64BE
Failed to create the string dictionary., xrefs: 00007FF6570A63BD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: ALL$Failed to add "%ls" to the list of dependencies to ignore.$Failed to add "%ls" to the string dictionary.$Failed to check the dictionary of unique dependencies.$Failed to create the string dictionary.$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
API String ID: 1825529933-461799926
Opcode ID: f6a70afddf6bc7f433e2edca49d94eb57e023312edb37d7a6b9c3fc28c69a44e
Instruction ID: 11112cba536ccd15e57ac37717f72ae420c89fd477097e0292dc8f920fd14aeb
Opcode Fuzzy Hash: f6a70afddf6bc7f433e2edca49d94eb57e023312edb37d7a6b9c3fc28c69a44e
Instruction Fuzzy Hash: E841D4B2B0865A86FB209F12E4403AA67E0FB84B90F4C4635DA4DE77D1DF7CE5498704

Function 00007FF6570F7868 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F79D5

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00007FF6570F790A, 00007FF6570F7924, 00007FF6570F798D, 00007FF6570F79B7
Failed to locate and query bundle variable., xrefs: 00007FF6570F78D1
Failed to read string shared variable., xrefs: 00007FF6570F7968
Reading bundle variable of type 0x%x not implemented., xrefs: 00007FF6570F7935
variables, xrefs: 00007FF6570F78BB
An invalid parameter was passed to the function., xrefs: 00007FF6570F79A3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: An invalid parameter was passed to the function.$Failed to locate and query bundle variable.$Failed to read string shared variable.$Reading bundle variable of type 0x%x not implemented.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp$variables
API String ID: 3535843008-2641142750
Opcode ID: f179bd3d620ea337dc6ae7648bab44f866cb39d89281ff0fab4e64799e5261b4
Instruction ID: 794b958b0b031703af92e01ee4cb38821cebba03ae9e252aa8f7e8bf775fefb0
Opcode Fuzzy Hash: f179bd3d620ea337dc6ae7648bab44f866cb39d89281ff0fab4e64799e5261b4
Instruction Fuzzy Hash: C741C1B1B0C74A8AEB208B12D8806B973E1BF85780F9C0139DA4DE7795DF2DE909C745

Function 00007FF6570938FC Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 80COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570939F8

Strings

Failed to format path string., xrefs: 00007FF657093939
Failed to set variable., xrefs: 00007FF6570939D4
Failed to get file version., xrefs: 00007FF65709398C
File search: %ls, did not find path: %ls, xrefs: 00007FF6570939E9
d:\a\wix4\wix4\src\burn\engine\search.cpp, xrefs: 00007FF65709394A
Failed to create version from file version., xrefs: 00007FF6570939AD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: Failed to create version from file version.$Failed to format path string.$Failed to get file version.$Failed to set variable.$File search: %ls, did not find path: %ls$d:\a\wix4\wix4\src\burn\engine\search.cpp
API String ID: 2941638530-3858641006
Opcode ID: 3a30915db2c48a586e32f6ed9b0d32fd78c111b923a86346f7d1b8247ef3a0cd
Instruction ID: 5c83a01cf1bcb3cb5986c4917a50ab319fb89bc5704f7fe1c96ac7120f7fdf7a
Opcode Fuzzy Hash: 3a30915db2c48a586e32f6ed9b0d32fd78c111b923a86346f7d1b8247ef3a0cd
Instruction Fuzzy Hash: 4931F9A1B08A5B86FB10DF52D4413F953A0FF58B98F480132EA0DE7B95DF2CD5598700

Function 00007FF6570D0760 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF6570D142F,?,?,?,?,?,00007FF6570B899A), ref: 00007FF6570D077F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF6570D142F,?,?,?,?,?,00007FF6570B899A), ref: 00007FF6570D07C0
ReleaseSemaphore.KERNEL32(?,?,?,?,?,00007FF6570D142F,?,?,?,?,?,00007FF6570B899A), ref: 00007FF6570D07E7
GetLastError.KERNEL32(?,?,?,?,?,00007FF6570D142F,?,?,?,?,?,00007FF6570B899A), ref: 00007FF6570D07F1

Strings

Failed to signal queue semaphore., xrefs: 00007FF6570D0825
Failed to enqueue action., xrefs: 00007FF6570D07CA
d:\a\wix4\wix4\src\burn\engine\externalengine.cpp, xrefs: 00007FF6570D0805, 00007FF6570D0833

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveReleaseSemaphore
String ID: Failed to enqueue action.$Failed to signal queue semaphore.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
API String ID: 540623443-3073591944
Opcode ID: 64961a48ee5c2188e11fef9889a49171b6900b63d59c6242bf9fb24494b36200
Instruction ID: 41fd5fa70b9431146c5f53e7df3ee486d41c62fb4755aa023badb60e51ebddb4
Opcode Fuzzy Hash: 64961a48ee5c2188e11fef9889a49171b6900b63d59c6242bf9fb24494b36200
Instruction Fuzzy Hash: CE21A062B18B4682EB10DF16D48037A63E4FB94B80F884036DA4DE7795DF7CE559C744

Function 00007FF6570F2438 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F2798: FindFirstFileW.KERNEL32 ref: 00007FF6570F27DE
Part of subcall function 00007FF6570F2798: FindClose.KERNEL32 ref: 00007FF6570F27ED

SetFileAttributesW.KERNEL32 ref: 00007FF6570F246D
GetLastError.KERNEL32 ref: 00007FF6570F2477
DeleteFileW.KERNEL32 ref: 00007FF6570F24B4
GetLastError.KERNEL32 ref: 00007FF6570F24BE

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F2492, 00007FF6570F24D9, 00007FF6570F2506
Failed to remove attributes from file: %ls, xrefs: 00007FF6570F24A3
Failed to delete file: %ls, xrefs: 00007FF6570F24EA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: Failed to delete file: %ls$Failed to remove attributes from file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 3967264933-3778428042
Opcode ID: 1784234101db1dc2e49455ad321c618b1b825b39f8d99023c2e37cfe73bfc7be
Instruction ID: dd792e89a395b16a40d4ba38317f6c606c37af95dc55ac5dc177ff560b5d1e51
Opcode Fuzzy Hash: 1784234101db1dc2e49455ad321c618b1b825b39f8d99023c2e37cfe73bfc7be
Instruction Fuzzy Hash: 7721C5A0B0C78682F710ABA5E88077E63E4AF807A0F4C4135DD4DD7694EFACE558CB58

Function 00007FF6570EC10C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657081A28: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A58
Part of subcall function 00007FF657081A28: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A66

GetProcAddress.KERNEL32 ref: 00007FF6570EC149
GetLastError.KERNEL32 ref: 00007FF6570EC15B

Strings

srclient.dll, xrefs: 00007FF6570EC11F
SRSetRestorePointW, xrefs: 00007FF6570EC142
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp, xrefs: 00007FF6570EC16F, 00007FF6570EC1C1
Failed to find set restore point proc address., xrefs: 00007FF6570EC18F
Failed to initialize security for COM to talk to system restore., xrefs: 00007FF6570EC1B1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: Failed to find set restore point proc address.$Failed to initialize security for COM to talk to system restore.$SRSetRestorePointW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\srputil.cpp$srclient.dll
API String ID: 1866314245-3391705418
Opcode ID: 62bd9539a885722edca75bd10437ae1dc13eca6852469989d0812fbb6b7709e7
Instruction ID: a59b97f23755f8100fcdefd89ea27889fdc6c139480eb3fccb0fca8267ab2251
Opcode Fuzzy Hash: 62bd9539a885722edca75bd10437ae1dc13eca6852469989d0812fbb6b7709e7
Instruction Fuzzy Hash: 862137A0B1CB4F85FB219B16E89027A22E0AF95754F5C013ADD0DE63A1EE7DE9498300

Function 00007FF6570E95E8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E960E
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E961E
GetLastError.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E9645

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E9659, 00007FF6570E9692
IsWow64Process2, xrefs: 00007FF6570E9617
Failed to check WOW64 process - IsWow64Process2., xrefs: 00007FF6570E9679
kernel32, xrefs: 00007FF6570E9602

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: Failed to check WOW64 process - IsWow64Process2.$IsWow64Process2$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp$kernel32
API String ID: 4275029093-1827600283
Opcode ID: 61359b56e72ec1a02445d8a23ea30af197e097ca23a4187337d9ea88c900ac63
Instruction ID: 8f76d087a8059be89eb63288797c9e736cf66072f383437fd867e2cc5f1f2058
Opcode Fuzzy Hash: 61359b56e72ec1a02445d8a23ea30af197e097ca23a4187337d9ea88c900ac63
Instruction Fuzzy Hash: 55118161B187869AEB109F56E8801A673E0BF88B90F48013ADA4DE3764DF6CE549C704

Function 00007FF6570EA270 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657081A28: LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A58
Part of subcall function 00007FF657081A28: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570811A9), ref: 00007FF657081A66

GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF657089613), ref: 00007FF6570EA2C8
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF657089613), ref: 00007FF6570EA2E3

Strings

AdvApi32.dll, xrefs: 00007FF6570EA27D
Failed to load AdvApi32.dll, xrefs: 00007FF6570EA294
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EA2A0
RegGetValueW, xrefs: 00007FF6570EA2D5
RegDeleteKeyExW, xrefs: 00007FF6570EA2C1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc$ErrorLastLibraryLoad
String ID: AdvApi32.dll$Failed to load AdvApi32.dll$RegDeleteKeyExW$RegGetValueW$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 856020675-1672349681
Opcode ID: c85ce38fdfc4f87e5ef05738976b5605533dee84822bdbd8f1f470c84510dcfd
Instruction ID: f790d91e9f6298ae2c572f267aeec86769734851d0b5e24e0f7adc67ad51489d
Opcode Fuzzy Hash: c85ce38fdfc4f87e5ef05738976b5605533dee84822bdbd8f1f470c84510dcfd
Instruction Fuzzy Hash: 3F11D2B0A18A0B85EF20CB01FC915B533A4AF48744B8C4035C90EEA260EF3CA19DC710

Function 00007FF6570F85F8 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 202stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,?), ref: 00007FF6570F870E
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,?), ref: 00007FF6570F872F

Strings

Failed to send request to URL: %ls, xrefs: 00007FF6570F87D3
Failed to open internet URL: %ls, xrefs: 00007FF6570F87F5
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00007FF6570F87E3, 00007FF6570F8831, 00007FF6570F8870, 00007FF6570F8898
Failed to connect to URL: %ls, xrefs: 00007FF6570F885E
Failed to break URL into server and resource parts., xrefs: 00007FF6570F888C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: lstrlen
String ID: Failed to break URL into server and resource parts.$Failed to connect to URL: %ls$Failed to open internet URL: %ls$Failed to send request to URL: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
API String ID: 1659193697-573936277
Opcode ID: 6e19d9e7a5cbb421d1c2c5307b88a6b5bce926a522ae4b9e986f48f6518da28c
Instruction ID: 87b51681370ee4630a1c7f4d71d45ce41a836f3f2e37da45da7ffd6f377f36eb
Opcode Fuzzy Hash: 6e19d9e7a5cbb421d1c2c5307b88a6b5bce926a522ae4b9e986f48f6518da28c
Instruction Fuzzy Hash: 91815D76B08B5A86EB60CF52E8402A977A0FB88B84F580135DE4DE7B94EF3CD549C344

Function 00007FF657089124 Relevance: 12.1, APIs: 8, Instructions: 144COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF65708916D
CloseHandle.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF657089188
DeleteCriticalSection.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF65708919D
CloseHandle.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF6570891AF
CloseHandle.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF6570891C9
CloseHandle.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF65708920C
DeleteCriticalSection.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF65708922D
DeleteCriticalSection.KERNEL32(?,?,00000000,00007FF657089AC8), ref: 00007FF6570893AE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteSection
String ID:
API String ID: 2166061224-0
Opcode ID: c166dbbf86232752d0a6f6da6bff20c310b5647220ac60e83a23736501b5ba59
Instruction ID: 77ee89ec3a60ec4c9dda96c2e182d6cb6e1ccc77f7dc0a2c4850fe3bd983cbf0
Opcode Fuzzy Hash: c166dbbf86232752d0a6f6da6bff20c310b5647220ac60e83a23736501b5ba59
Instruction Fuzzy Hash: 8B711D95B1A58A84FF95FFA1C4657BC2390EF81F58F8D0231D91EEA5D6CF28A44C8321

Function 00007FF65708A4E0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 110COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF65708A50D
LeaveCriticalSection.KERNEL32 ref: 00007FF65708A673

Strings

Failed to format value '%ls' of variable: %ls, xrefs: 00007FF65708A60D
d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708A59B, 00007FF65708A5FC, 00007FF65708A64F
Failed to get unformatted string., xrefs: 00007FF65708A58A
Failed to get value as string for variable: %ls, xrefs: 00007FF65708A63E
Failed to get variable: %ls, xrefs: 00007FF65708A54E
*****, xrefs: 00007FF65708A5EA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1256323647
Opcode ID: 65b1cf21c730bcec377a52bec00012e987b15df618c37247e8e664d92cbaa7ba
Instruction ID: c9bb76f1d1f2d3e94ea97c038054cb111885d56b3e380627b2f8fe4f31876082
Opcode Fuzzy Hash: 65b1cf21c730bcec377a52bec00012e987b15df618c37247e8e664d92cbaa7ba
Instruction Fuzzy Hash: ED41A0A2B18B5686EB20DF11E88036A63E4FB48784F484235DE8CE7B95DF3DE559C740

Function 00007FF65708686C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF657086A0C), ref: 00007FF65708694A
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FF657086A0C), ref: 00007FF65708695B

Strings

Failed to allocate new array., xrefs: 00007FF657086983
Failed to get current memory size., xrefs: 00007FF6570868CF
Integer overflow when calculating new element count., xrefs: 00007FF65708699A
Integer overflow when calculating new block size., xrefs: 00007FF65708698C
Failed to allocate array larger., xrefs: 00007FF65708692E
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp, xrefs: 00007FF657086916, 00007FF65708696B, 00007FF6570869BC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: Failed to allocate array larger.$Failed to allocate new array.$Failed to get current memory size.$Integer overflow when calculating new block size.$Integer overflow when calculating new element count.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
API String ID: 1617791916-4167099675
Opcode ID: a2f9725e89f93331c5c13d81114fbb0b44cb628460378933a860b9ae8ed4a6d2
Instruction ID: 8050ff97c2ba89daea86b8a7fd3c3f88e1459ffaf6b10430bf602ec35b8aa253
Opcode Fuzzy Hash: a2f9725e89f93331c5c13d81114fbb0b44cb628460378933a860b9ae8ed4a6d2
Instruction Fuzzy Hash: 6E41EE71B18B4AC2EB208F01E48067923E8FB88794F5C4135DA8CE7796EF7DE9598344

Function 00007FF65708685C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FF6570F37B1,?,?,?,?,?,00007FF6570F4621), ref: 00007FF657086CAC
HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,00007FF6570F37B1,?,?,?,?,?,00007FF6570F4621), ref: 00007FF657086CBD

Strings

Failed to allocate new array., xrefs: 00007FF657086CE5
Failed to get current memory size., xrefs: 00007FF657086C38
Integer overflow when calculating new element count., xrefs: 00007FF657086CFC
Integer overflow when calculating new block size., xrefs: 00007FF657086CEE
Failed to allocate larger array., xrefs: 00007FF657086C90
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp, xrefs: 00007FF657086C78, 00007FF657086CCD, 00007FF657086D1E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: Failed to allocate larger array.$Failed to allocate new array.$Failed to get current memory size.$Integer overflow when calculating new block size.$Integer overflow when calculating new element count.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\memutil.cpp
API String ID: 1617791916-3641055160
Opcode ID: 2e347de48ae5210da34ef6123c449023f60b600317269cd9ec57339e4daf8507
Instruction ID: a46e126534828d6b55f0dbb214533ec7506f745a978f63d82b80677bb0b170da
Opcode Fuzzy Hash: 2e347de48ae5210da34ef6123c449023f60b600317269cd9ec57339e4daf8507
Instruction Fuzzy Hash: CA31BFA1F1874A82EB20CF51E44027923E5EB88790F5C8035DA0DE7796EF7DE959C300

Function 00007FF65709E02C Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 77COMMON

Download Yara Rule

Strings

RebootPending, xrefs: 00007FF65709E0F1
WixBundleInstalled, xrefs: 00007FF65709E068
Failed to detect bundle install state., xrefs: 00007FF65709E053
Failed to set the bundle installed built-in variable., xrefs: 00007FF65709E08C
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709E117
Failed to overwrite the bundle reboot-pending built-in variable., xrefs: 00007FF65709E106

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to detect bundle install state.$Failed to overwrite the bundle reboot-pending built-in variable.$Failed to set the bundle installed built-in variable.$RebootPending$WixBundleInstalled$d:\a\wix4\wix4\src\burn\engine\registration.cpp
API String ID: 3535843008-1968631062
Opcode ID: 5b909350221fac9d7eb536c7eb1e7d7d95e86c505880354112392d818bc59b72
Instruction ID: 0195e5ae6a16400485bf777bc30fa49458532c08ec58be49c86b12873fab1e32
Opcode Fuzzy Hash: 5b909350221fac9d7eb536c7eb1e7d7d95e86c505880354112392d818bc59b72
Instruction Fuzzy Hash: F73184B1B0C74686EB609B51E44016AB3D4BF98B90F4C0139DA4DE3B95DF6CE559C704

Function 00007FF6570DC0C0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570DC103
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570DC4F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570DC78C

Strings

p, xrefs: 00007FF6570DC22D
p, xrefs: 00007FF6570DC1B5
f, xrefs: 00007FF6570DC225

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 186e8c00f616c4aebedd0c98e44cecd971292ab9af835d549ba69a6bd0b938fd
Instruction ID: f8b1635bcb232c278cf70f64636212fad24d4d4347a0d804f53cbf6b3d0a7e2c
Opcode Fuzzy Hash: 186e8c00f616c4aebedd0c98e44cecd971292ab9af835d549ba69a6bd0b938fd
Instruction Fuzzy Hash: B812B8B5E0C34B8AFB609B54E04467B76D2FB40764F9C4136E689E66C4DF7CE4888B18

Function 00007FF6570B17C0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 307synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 00007FF6570B18F3
CloseHandle.KERNEL32 ref: 00007FF6570B18FC

Part of subcall function 00007FF65709D110: RegCloseKey.ADVAPI32 ref: 00007FF65709D46C

Strings

ElevatedOnExecuteActionComplete failed., xrefs: 00007FF6570B1C8B
Unexpected elevated message sent to child process, msg: %u, xrefs: 00007FF6570B1BD8
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570B1862, 00007FF6570B1BAF, 00007FF6570B1BC7, 00007FF6570B1C9C
Failed to save state., xrefs: 00007FF6570B1843

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close$HandleMutexRelease
String ID: ElevatedOnExecuteActionComplete failed.$Failed to save state.$Unexpected elevated message sent to child process, msg: %u$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
API String ID: 2585119886-3943832688
Opcode ID: ffb922df0ff9cc24ae47539712bd65e4019c4a6e29a6c7f79b9ae3f81cd1124c
Instruction ID: d812f8d84e43000430460a7099c27afb41335d839e7a003216790f89bebd0664
Opcode Fuzzy Hash: ffb922df0ff9cc24ae47539712bd65e4019c4a6e29a6c7f79b9ae3f81cd1124c
Instruction Fuzzy Hash: 02E12CB6A18B4A82DB20CF19D04056D77A0FB89F94F185136EA4DE3764CF39EA95C740

Function 00007FF65708E8D8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,00000008,00000008,00000000,00000000,?,00007FF65708E5E7,?,?,?,?,?,?,00000000,?), ref: 00007FF65708EA6B
CompareStringW.KERNEL32(?,?,00000008,00000008,00000000,00000000,?,00007FF65708E5E7,?,?,?,?,?,?,00000000,?), ref: 00007FF65708EAD5
CompareStringW.KERNEL32(?,?,00000008,00000008,00000000,00000000,?,00007FF65708E5E7,?,?,?,?,?,?,00000000,?), ref: 00007FF65708EB14

Strings

Failed to get length of left string: %ls, xrefs: 00007FF65708E980
d:\a\wix4\wix4\src\burn\engine\condition.cpp, xrefs: 00007FF65708E96F, 00007FF65708E991, 00007FF65708E9F6
Failed to get length of right string: %ls, xrefs: 00007FF65708EA07

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to get length of left string: %ls$Failed to get length of right string: %ls$d:\a\wix4\wix4\src\burn\engine\condition.cpp
API String ID: 1825529933-3020116174
Opcode ID: 828d9cac5596a1cb5244e65540a33104c785a6212337f67503ff0c4215d153ee
Instruction ID: cb1e970af51a6802fbc1317076743c4884a7e1ac180b08ce3efb78b5fc38b046
Opcode Fuzzy Hash: 828d9cac5596a1cb5244e65540a33104c785a6212337f67503ff0c4215d153ee
Instruction Fuzzy Hash: B06147A2F1C69A82E7708B59A48067A62D5BB94B90F1C0135ED8DF7B91CE7CF5888740

Function 00007FF6570A2310 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF6570A23BE

Strings

Failed to calculate cache path., xrefs: 00007FF6570A2357
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A2368, 00007FF6570A2461
per-user, xrefs: 00007FF6570A2440, 00007FF6570A24B6
per-machine, xrefs: 00007FF6570A2439, 00007FF6570A24AF
Failed to get %hs package cache root directory., xrefs: 00007FF6570A2455
Failed to get old %hs package cache root directory., xrefs: 00007FF6570A24CB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$d:\a\wix4\wix4\src\burn\engine\cache.cpp$per-machine$per-user
API String ID: 3472027048-1762823252
Opcode ID: 116b6ca4c9674d50851841a3b7ec2f12dad6b7fdf7b42a88c7dfdc15611fe909
Instruction ID: 3dd2b3ca5c14c92f7ab74073326ea883894583c5f489ba9205e37430e3355abf
Opcode Fuzzy Hash: 116b6ca4c9674d50851841a3b7ec2f12dad6b7fdf7b42a88c7dfdc15611fe909
Instruction Fuzzy Hash: 67519161B18A4A86FB108B55E8407BA67E0FBC5B80F584135EE4DE7B95DF3CE5888740

Function 00007FF6570EB11C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570EB237

Strings

Failed to read wix version registry value., xrefs: 00007FF6570EB17E
Failed to convert registry string to wix version., xrefs: 00007FF6570EB203, 00007FF6570EB2C8
Failed to copy QWORD wix version value., xrefs: 00007FF6570EB257
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EB195, 00007FF6570EB241, 00007FF6570EB26A, 00007FF6570EB283
Error reading wix version registry value due to unexpected data type: %u, xrefs: 00007FF6570EB294

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Error reading wix version registry value due to unexpected data type: %u$Failed to convert registry string to wix version.$Failed to copy QWORD wix version value.$Failed to read wix version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 3215553584-1929277467
Opcode ID: 3f5e865de9b2309ef8e9ddfd12c0966e87e208405f892668fdec9245928c6d8d
Instruction ID: d162aa33fa5072b0c7fb3e73d84496dedaaf8d7518fc3d6fe1ab36a626d6032c
Opcode Fuzzy Hash: 3f5e865de9b2309ef8e9ddfd12c0966e87e208405f892668fdec9245928c6d8d
Instruction Fuzzy Hash: D4518B72F18A5A89FB10AB61D840ABD23E4AF49794F580139DE0DE7B85DF3CE9498740

Function 00007FF6570F88F4 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 130COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570F8778), ref: 00007FF6570F89E8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6570F8778), ref: 00007FF6570F8A54

Strings

Failed to add header to HTTP request., xrefs: 00007FF6570F8A8E
Failed to allocate string for resource URI., xrefs: 00007FF6570F894E
Failed to open internet request., xrefs: 00007FF6570F8A1C
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00007FF6570F8965, 00007FF6570F89FC, 00007FF6570F8A68, 00007FF6570F8A9A
Failed to append query strong to resource from URI., xrefs: 00007FF6570F89A4

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
API String ID: 1452528299-283382383
Opcode ID: 8de55f3ae9f41a753a187427e9074a637fe2a1917d09737b3883c974e6877e4f
Instruction ID: 8e499cbe9f73f9ef84fe25b06e9c86d3466508c5fea4eee3a164f010531a34c3
Opcode Fuzzy Hash: 8de55f3ae9f41a753a187427e9074a637fe2a1917d09737b3883c974e6877e4f
Instruction Fuzzy Hash: E0518062B0C74686FB208F15E4802A962E5FF84B90F5C4136DA4DE7BA4EF3CE5498744

Function 00007FF6570EAF6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570EB046

Strings

Failed to convert registry string to version., xrefs: 00007FF6570EB0D1
Error reading version registry value due to unexpected data type: %u, xrefs: 00007FF6570EB0A1
Failed to copy QWORD version value., xrefs: 00007FF6570EB066
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EB050, 00007FF6570EB076, 00007FF6570EB090, 00007FF6570EB0E8
Failed to read version registry value., xrefs: 00007FF6570EAFC3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Error reading version registry value due to unexpected data type: %u$Failed to convert registry string to version.$Failed to copy QWORD version value.$Failed to read version registry value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 3215553584-2150151203
Opcode ID: 4acf3cf64eef7684fbedf85b663bbc6aff33fac5b32c1dccde2d67ea2313ea77
Instruction ID: 03f8198763ab36410473c93176f11139d828fd9061f8c22f812ee5d42c2e4c62
Opcode Fuzzy Hash: 4acf3cf64eef7684fbedf85b663bbc6aff33fac5b32c1dccde2d67ea2313ea77
Instruction Fuzzy Hash: 4441BCB1B0C71B86FB20AB01E485B7D62E1AB49B90F580135DA2CE7B95DF3DE9498740

Function 00007FF6570FD1C0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 102COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570FD26C

Strings

Failed to allocate value., xrefs: 00007FF6570FD293
Failed to get query information., xrefs: 00007FF6570FD2F2
Failed to allocate memory for value., xrefs: 00007FF6570FD203
Failed to get size of value., xrefs: 00007FF6570FD226
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp, xrefs: 00007FF6570FD2E1, 00007FF6570FD306

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to allocate memory for value.$Failed to allocate value.$Failed to get query information.$Failed to get size of value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp
API String ID: 1452528299-3024109871
Opcode ID: 432a63f09e13db5913904e10d436679de2194ba7f5563b937935c80f7e19b7d6
Instruction ID: 2c10b4ba238ae36b2d37028e3271b9754fd3124c060c4643046a1b1a4fbc6040
Opcode Fuzzy Hash: 432a63f09e13db5913904e10d436679de2194ba7f5563b937935c80f7e19b7d6
Instruction Fuzzy Hash: 8141A371B18B5686EB508F65D8903B923A0FB94754F084536EA0EE7794EF3CE94AC344

Function 00007FF65709B728 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,00000000,?,?,00000000,?,00007FF65709DE80), ref: 00007FF65709B7E4
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,00007FF65709DE80), ref: 00007FF65709B7FA

Strings

Failed to format key for update registration., xrefs: 00007FF65709B764
Failed to remove update registration key: %ls, xrefs: 00007FF65709B833
PackageVersion, xrefs: 00007FF65709B7B6
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709B783, 00007FF65709B844

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion$d:\a\wix4\wix4\src\burn\engine\registration.cpp
API String ID: 446873843-2063007608
Opcode ID: c372acd96132197c9d74e289b9708ecaae52f23e14c16fcf4d24625eb887ec16
Instruction ID: e3b2d47abab473753ea011258c2eacb1cd21970cf6ffd5992c2ef96a28e00ce9
Opcode Fuzzy Hash: c372acd96132197c9d74e289b9708ecaae52f23e14c16fcf4d24625eb887ec16
Instruction Fuzzy Hash: FC4173B2708A4A86EB209F25E8806BA67E4FF587D4F580135EE4EE7A54CF3CD449C700

Function 00007FF6570A2520 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32 ref: 00007FF6570A25A3
GetLastError.KERNEL32 ref: 00007FF6570A25AD
SetFileAttributesW.KERNEL32 ref: 00007FF6570A263A

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A256F, 00007FF6570A25C1
Failed to initialize ACL., xrefs: 00007FF6570A25E1
Failed to allocate administrator SID., xrefs: 00007FF6570A255E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 669721577-2625618253
Opcode ID: 8e59cbe473a6e253b4a6c021cd947ae2fa7331b7bef28d00b1e9d5ef92eba84c
Instruction ID: b0617807fa479ec91916a731cd5ceb322c4cba1b353fde366aee138c38937b43
Opcode Fuzzy Hash: 8e59cbe473a6e253b4a6c021cd947ae2fa7331b7bef28d00b1e9d5ef92eba84c
Instruction Fuzzy Hash: A031C172B1864A82FB108F12E44076A67E1FBC8B80F584135DA8DD77A5DF3CE549CB04

Function 00007FF6570F34C4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6570F34FC
GetLastError.KERNEL32 ref: 00007FF6570F350B
CloseHandle.KERNEL32 ref: 00007FF6570F35CE

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F351F, 00007FF6570F3558, 00007FF6570F359E
Failed to open file: %ls, xrefs: 00007FF6570F354A
Failed to write to file: %ls, xrefs: 00007FF6570F358D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open file: %ls$Failed to write to file: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 2528220319-1719111557
Opcode ID: 99d3e8ec0696c0884044644f8efd2176d13fc7ed8831a43601569a475fb69c97
Instruction ID: c52da00ba16e6832a783994221f9d7f692aedd1716add15af7ffd191a390326f
Opcode Fuzzy Hash: 99d3e8ec0696c0884044644f8efd2176d13fc7ed8831a43601569a475fb69c97
Instruction Fuzzy Hash: 48315EB2B0874586EB209B16E8402A976E4AB84BB0F180335DA6DD77E5CF3CD559CB04

Function 00007FF657083250 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6570832A4
GetLastError.KERNEL32 ref: 00007FF6570832B4
LocalFree.KERNEL32 ref: 00007FF657083365

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp, xrefs: 00007FF6570832C8, 00007FF657083301, 00007FF657083342
Failed to format message for error: 0x%x, xrefs: 00007FF6570832F0
Failed to allocate string for message., xrefs: 00007FF657083336

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: Failed to allocate string for message.$Failed to format message for error: 0x%x$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\strutil.cpp
API String ID: 1365068426-3351270200
Opcode ID: 17f0db0e33cdc373b52a48f3b47251fb9951c13d4449b801879dc6a0def0b33a
Instruction ID: dc6d57d041da9f6f09016164a2f49aceb9cc01f425617dd2afe7117a21ab9126
Opcode Fuzzy Hash: 17f0db0e33cdc373b52a48f3b47251fb9951c13d4449b801879dc6a0def0b33a
Instruction Fuzzy Hash: AC31A1B2718B4992EB218F15E8847AA32E1FB98780F184139DA4DD7744EF3DD919C704

Function 00007FF6570EF6BC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6570EF759
SysFreeString.OLEAUT32 ref: 00007FF6570EF7B7

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EF6DB, 00007FF6570EF70B, 00007FF6570EF72A, 00007FF6570EF76C
failed to allocate bstr for XPath expression in XmlSelectSingleNode, xrefs: 00007FF6570EF782
ppixnChild parameter was null in XmlSelectSingleNode, xrefs: 00007FF6570EF742
pixnParent parameter was null in XmlSelectSingleNode, xrefs: 00007FF6570EF6F3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$AllocFree
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectSingleNode$pixnParent parameter was null in XmlSelectSingleNode$ppixnChild parameter was null in XmlSelectSingleNode
API String ID: 344208780-1462723567
Opcode ID: 6b157b56f3b9731659039f7257b84d39456d127d90d4d0a58a4fdd0394a5ea7c
Instruction ID: 5882f55f23266d9480c23f5a5ac0a7f189c9dec54dc7ce5815c24df9c92f2c42
Opcode Fuzzy Hash: 6b157b56f3b9731659039f7257b84d39456d127d90d4d0a58a4fdd0394a5ea7c
Instruction Fuzzy Hash: 9421B6A5B2861A82EB20CB06E84017563E5AF99BD0F9C0135DD4DE37A5DF3CE90AC704

Function 00007FF6570EF5A8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6570EF645
SysFreeString.OLEAUT32 ref: 00007FF6570EF6A3

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EF5C7, 00007FF6570EF5F7, 00007FF6570EF616, 00007FF6570EF658
pixnParent parameter was null in XmlSelectNodes, xrefs: 00007FF6570EF5DF
ppixnChild parameter was null in XmlSelectNodes, xrefs: 00007FF6570EF62E
failed to allocate bstr for XPath expression in XmlSelectNodes, xrefs: 00007FF6570EF66E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$AllocFree
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed to allocate bstr for XPath expression in XmlSelectNodes$pixnParent parameter was null in XmlSelectNodes$ppixnChild parameter was null in XmlSelectNodes
API String ID: 344208780-3683195698
Opcode ID: c50f91a02a9ba2c650dd86bb3b8c46904f23a4c66dfbbd1e2e9d3105a309bc45
Instruction ID: 0e0bc013211617649b9110ce1363015b2b00deaa21792ab59f45172e69a5bfb8
Opcode Fuzzy Hash: c50f91a02a9ba2c650dd86bb3b8c46904f23a4c66dfbbd1e2e9d3105a309bc45
Instruction Fuzzy Hash: 3C21B9A5B1865A82EB20CB05E84017963E5AF99BD0F5C4136CD4DE37A4DF3CE90A8704

Function 00007FF6570DE140 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570DE14F
FlsGetValue.KERNEL32 ref: 00007FF6570DE164
FlsSetValue.KERNEL32 ref: 00007FF6570DE185
FlsSetValue.KERNEL32 ref: 00007FF6570DE1B2
FlsSetValue.KERNEL32 ref: 00007FF6570DE1C3
FlsSetValue.KERNEL32 ref: 00007FF6570DE1D4
SetLastError.KERNEL32 ref: 00007FF6570DE1EF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ceea9ac769fb214935b2432e45667e585b16961fe368f67a92c4c593ab1c1345
Instruction ID: a4d60dfdc12c8a758521f794ae5986b30b55665dcb46c6093e7db6315a395f97
Opcode Fuzzy Hash: ceea9ac769fb214935b2432e45667e585b16961fe368f67a92c4c593ab1c1345
Instruction Fuzzy Hash: 4C212CB4F0834F42FB686731595513A62D25F44BB4F1C4734E93EE67D6DE6CA4494208

Function 00007FF6570E624C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6570E627D
GetLastError.KERNEL32 ref: 00007FF6570E6289
CloseHandle.KERNEL32 ref: 00007FF6570E62A1
CreateFileW.KERNEL32 ref: 00007FF6570E62CC
WriteConsoleW.KERNEL32 ref: 00007FF6570E62EB

Strings

CONOUT$, xrefs: 00007FF6570E62AD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: eaaa479d72015e632d8ee55f5a571fbad3eebd4925cdca1ed9c1269a34c0d8eb
Instruction ID: ec98796760a7d70c2bf4bf9543dc0d2340d746051407500131980005448da67b
Opcode Fuzzy Hash: eaaa479d72015e632d8ee55f5a571fbad3eebd4925cdca1ed9c1269a34c0d8eb
Instruction Fuzzy Hash: 18119361B18A8586E7508F52F84432972E0FB88FE4F084234DE5ED7B94CF7CE4488748

Function 00007FF6570F4824 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 45comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00007FF6570F4857
CoCreateInstance.OLE32 ref: 00007FF6570F4888

Strings

Failed to create instance of Microsoft.Update.AutoUpdate., xrefs: 00007FF6570F4894
Microsoft.Update.AutoUpdate, xrefs: 00007FF6570F484C
Failed to get CLSID for Microsoft.Update.AutoUpdate., xrefs: 00007FF6570F4863
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp, xrefs: 00007FF6570F48AB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Failed to create instance of Microsoft.Update.AutoUpdate.$Failed to get CLSID for Microsoft.Update.AutoUpdate.$Microsoft.Update.AutoUpdate$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\wuautil.cpp
API String ID: 2151042543-594154128
Opcode ID: ad0ded6dfa0d0fe83d532d465e80f50d1354fc709d76dd964e1c87672f85a841
Instruction ID: f179205a4c16424085573e7f56041ecf774696c817cac428620a47fa8e61d31b
Opcode Fuzzy Hash: ad0ded6dfa0d0fe83d532d465e80f50d1354fc709d76dd964e1c87672f85a841
Instruction Fuzzy Hash: 76115B71B18B8AC2EB208B11F8440AA73E1FB48794F880132EA5DD3754EF3DE559C744

Function 00007FF6570FDE40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6570FDDAF,?,?,?,00007FF6570FE16A), ref: 00007FF6570FDE67
GetProcAddress.KERNEL32(?,?,?,00007FF6570FDDAF,?,?,?,00007FF6570FE16A), ref: 00007FF6570FDE84
GetProcAddress.KERNEL32(?,?,?,00007FF6570FDDAF,?,?,?,00007FF6570FE16A), ref: 00007FF6570FDEA0

Strings

KERNEL32.DLL, xrefs: 00007FF6570FDE60
ReleaseSRWLockExclusive, xrefs: 00007FF6570FDE8F
AcquireSRWLockExclusive, xrefs: 00007FF6570FDE7A

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 67fc19edb64316081c6316322a8cc13e9b6b4468c87a515185f59ba91aa51a72
Instruction ID: dd5a750e0e6b6938be48c293f93b32da21448417e542d3fd82cf399e64a5d5ad
Opcode Fuzzy Hash: 67fc19edb64316081c6316322a8cc13e9b6b4468c87a515185f59ba91aa51a72
Instruction Fuzzy Hash: A31121A1A0EB1F95FE69AF01A91037562D16F24788F4C5538C91DE6390EF7CB45EC218

Function 00007FF6570E8178 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF6570899F2), ref: 00007FF6570E8187
FlushFileBuffers.KERNEL32(?,?,?,?,00000000,00007FF6570899F2), ref: 00007FF6570E819F
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6570899F2), ref: 00007FF6570E81A9
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF6570899F2), ref: 00007FF6570E820F

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E81D1, 00007FF6570E81EF
Failed to flush log file buffers., xrefs: 00007FF6570E81E3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$BuffersEnterErrorFileFlushLastLeave
String ID: Failed to flush log file buffers.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
API String ID: 1143292862-3789970458
Opcode ID: c3a2b53d9f415d193179b3a4f2a41519db370e4a7151b46eb95b709d6bdc05f7
Instruction ID: 63f83cddb616d2d5019b5af88b21d78f49fdbbb182647abb92c469bbf1d2e071
Opcode Fuzzy Hash: c3a2b53d9f415d193179b3a4f2a41519db370e4a7151b46eb95b709d6bdc05f7
Instruction Fuzzy Hash: 451161B1B18A4A86FB149B25DC901B533E0AF54760F480239D96EE26F0EF2CE55D8304

Function 00007FF6570D5408 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6570D5433
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6570D54C8
RtlUnwindEx.KERNEL32 ref: 00007FF6570D5517

Strings

f, xrefs: 00007FF6570D5446
csm, xrefs: 00007FF6570D54AE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 086aeb89ba7506c75159e1eb5d45745d141201e07396e1855dd07762cfd4d523
Instruction ID: 60e629fe8fa3de7f3b9c791c6976ad2fbce526b29590009973dec2c1e1f793fa
Opcode Fuzzy Hash: 086aeb89ba7506c75159e1eb5d45745d141201e07396e1855dd07762cfd4d523
Instruction Fuzzy Hash: 3651D972A1970586DB15CF16E414A2937E6FB44B88F588131EE0EE774CEF78E845C708

Function 00007FF6570E70D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6570E71DD

Strings

Failed to get string size., xrefs: 00007FF6570E716D
Failed to write string to buffer: '%ls', error: %d, xrefs: 00007FF6570E7205
Failed to ensure buffer size., xrefs: 00007FF6570E71B2
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp, xrefs: 00007FF6570E715C, 00007FF6570E7188, 00007FF6570E71ED, 00007FF6570E721C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: memcpy_s
String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%ls', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
API String ID: 1502251526-4099103365
Opcode ID: dd7fa1b2b2b72873a7486e7ec9428b025126744e0b5eabf68f311e6f2c5cfe64
Instruction ID: 07d8eda4dcfe0d0036d688ebacb1a152d12664a2360b48342d0a81bb2d6ae2c0
Opcode Fuzzy Hash: dd7fa1b2b2b72873a7486e7ec9428b025126744e0b5eabf68f311e6f2c5cfe64
Instruction Fuzzy Hash: CB41D2B2B18B5BC6EB208F16E88057962A4FB95BC0F5C5136DE0DE3B94DE3CE5158700

Function 00007FF6570E725C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6570E7351

Strings

Failed to get string size., xrefs: 00007FF6570E72E5
Failed to write string to buffer: '%hs', error: %d, xrefs: 00007FF6570E737B
Failed to ensure buffer size., xrefs: 00007FF6570E7326
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp, xrefs: 00007FF6570E72D4, 00007FF6570E7300, 00007FF6570E7362, 00007FF6570E7392

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: memcpy_s
String ID: Failed to ensure buffer size.$Failed to get string size.$Failed to write string to buffer: '%hs', error: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\buffutil.cpp
API String ID: 1502251526-3750679403
Opcode ID: 0238bf193b6539d9e9d73b1e8e20575478c8a88195f2f66bdf14cccf388a0edc
Instruction ID: 1a1d576967379446ea209dc4a0688c0e0f4eb9a019e1e5489a5617826f21e7ea
Opcode Fuzzy Hash: 0238bf193b6539d9e9d73b1e8e20575478c8a88195f2f66bdf14cccf388a0edc
Instruction Fuzzy Hash: 4241E1B1B18B8AC5EB209F26E880579A7A5EF95BC0F5C5136DE4CE3B95DE3CD5058300

Function 00007FF6570A67F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570A68E7
CompareStringW.KERNEL32 ref: 00007FF6570A691D

Strings

Failed to detect provider key bundle id., xrefs: 00007FF6570A6823
Failed dependents check on bundle., xrefs: 00007FF6570A6895
d:\a\wix4\wix4\src\burn\engine\dependency.cpp, xrefs: 00007FF6570A6834

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed dependents check on bundle.$Failed to detect provider key bundle id.$d:\a\wix4\wix4\src\burn\engine\dependency.cpp
API String ID: 1825529933-872169753
Opcode ID: 209f9745823d27a06de787e9e286e9e20dd26383dd689a435e27eee22fd124d2
Instruction ID: 146cb8d11fdf36c0dad2ac48ed3681ca0380948f547a3fe85a57e224e9602c1a
Opcode Fuzzy Hash: 209f9745823d27a06de787e9e286e9e20dd26383dd689a435e27eee22fd124d2
Instruction Fuzzy Hash: D3417F76608B45C6E7248F11E44056B77A4F7487A4F580339DAADD36A0DF38E569CB04

Function 00007FF6570D33C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

WaitForSingleObject.KERNEL32 ref: 00007FF6570D34B8
ReleaseMutex.KERNEL32 ref: 00007FF6570D34F0
SetEvent.KERNEL32 ref: 00007FF6570D34FA

Strings

d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00007FF6570D341E, 00007FF6570D3450
Failed to allocate buffer., xrefs: 00007FF6570D3436

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: EventHeapMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
API String ID: 3023235355-1881421891
Opcode ID: 556f41dd4f3ca94d5e7a6eee109a7b49bdf945a2b9cc495b3c3d4134c070b406
Instruction ID: 6b541587bd3add58d21f604df84588392b6e8d6db6ddecd9b5f70af52149af53
Opcode Fuzzy Hash: 556f41dd4f3ca94d5e7a6eee109a7b49bdf945a2b9cc495b3c3d4134c070b406
Instruction Fuzzy Hash: 2B41DA72B24B88C2DB20CF12E884569B3E5FB88B80B594135DA5ED7750CF7DE809C708

Function 00007FF657087168 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp, xrefs: 00007FF6570871D7, 00007FF65708727B
Failed to get full path for: %ls, xrefs: 00007FF6570871A2
Full path was not rooted: %ls, xrefs: 00007FF6570871F9
Failed to get parent directory for path: %ls, xrefs: 00007FF657087265

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Failed to get full path for: %ls$Failed to get parent directory for path: %ls$Full path was not rooted: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dirutil.cpp
API String ID: 0-281674368
Opcode ID: 6a1ff9a787268e86ce2580ab7aa86bafc4138252a5880f7ff1da44d68e4ee0ca
Instruction ID: 6edf0f824d03a95a8a541b2d1a8a0b6ca230365e3b984572ea38410db9b5487d
Opcode Fuzzy Hash: 6a1ff9a787268e86ce2580ab7aa86bafc4138252a5880f7ff1da44d68e4ee0ca
Instruction Fuzzy Hash: 3D319371718B5A8AEB609F65E8805B923A0FB84798F081135FA4EE7B58DF3CD455C700

Function 00007FF6570F7748 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA674: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

RegCloseKey.ADVAPI32 ref: 00007FF6570F7853

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00007FF6570F77C9
Failed to enumerate uninstall key for related bundles., xrefs: 00007FF6570F782C
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00007FF6570F776B
Failed to open uninstall registry key., xrefs: 00007FF6570F77B2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
API String ID: 47109696-4270664815
Opcode ID: abfa968a3838170a03bcec5cb91691b2c04fb953a0e53dcfb26725f118cbfae8
Instruction ID: c35f6e6f5e208c92992694b9f127e348e47204c53843a81e2dd9fecbf5eeb399
Opcode Fuzzy Hash: abfa968a3838170a03bcec5cb91691b2c04fb953a0e53dcfb26725f118cbfae8
Instruction Fuzzy Hash: 1731C7B1B1864A8EFB208F65D8407B923D0FF48758F9C1235EA0DD6695DF2CE449C349

Function 00007FF65709C400 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF65709C51B

Strings

Failed to open registration key., xrefs: 00007FF65709C451
Resume, xrefs: 00007FF65709C498
d:\a\wix4\wix4\src\burn\engine\registration.cpp, xrefs: 00007FF65709C462
Failed to read Resume value., xrefs: 00007FF65709C4C1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to open registration key.$Failed to read Resume value.$Resume$d:\a\wix4\wix4\src\burn\engine\registration.cpp
API String ID: 3535843008-1502274520
Opcode ID: 6d96b4ee8feb5b249e36126e90173a7002c41484378594c74a9cb6aab087f8c7
Instruction ID: 987bd1de9d5e152c0b337e541d946fdfbec338605f2a7a0351889208d8afe2f2
Opcode Fuzzy Hash: 6d96b4ee8feb5b249e36126e90173a7002c41484378594c74a9cb6aab087f8c7
Instruction Fuzzy Hash: 5A313CB2F0C60B96FB208F64D99437B26E5EB64764F1C4035CA5ED7690DFADE8588700

Function 00007FF6570E94B4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6570E94E1
GetLastError.KERNEL32 ref: 00007FF6570E94EB

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E94FF, 00007FF6570E953E, 00007FF6570E957D
Failed to get privilege LUID: %ls, xrefs: 00007FF6570E951F
Failed to get token privilege information., xrefs: 00007FF6570E9571

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLastLookupPrivilegeValue
String ID: Failed to get privilege LUID: %ls$Failed to get token privilege information.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 2626710698-2191672025
Opcode ID: 0f9ad4d970d9446047e9849770d53fd860c90eea085f753fc5579f6452419e5e
Instruction ID: ec9f1d814d28f484fbaece04ee1b4d1b62dca76308a1bf8b367ee39d76bd462f
Opcode Fuzzy Hash: 0f9ad4d970d9446047e9849770d53fd860c90eea085f753fc5579f6452419e5e
Instruction Fuzzy Hash: 96318DB2B1874A8AEF208B16E5803BD77A0EB44B50F484135DA4DD7B85DF3CE849C741

Function 00007FF6570A11B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

CreateWellKnownSid.ADVAPI32(?,?,?,?,00000000,00007FF6570A22AD), ref: 00007FF6570A1237
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6570A22AD), ref: 00007FF6570A1241

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A11E6, 00007FF6570A120E, 00007FF6570A1255, 00007FF6570A1287
Failed to allocate memory for well known SID., xrefs: 00007FF6570A11FC
Failed to create well known SID., xrefs: 00007FF6570A1275

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CreateErrorHeapKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2057720986-3368738088
Opcode ID: 2a7c194cf9e0d63946a12173f8ba8cb6ce4333da95bd6511e095d851b584356c
Instruction ID: 3c04496d52d25511b97264381c538f20c016acb69416f4688eaba31acfeae899
Opcode Fuzzy Hash: 2a7c194cf9e0d63946a12173f8ba8cb6ce4333da95bd6511e095d851b584356c
Instruction Fuzzy Hash: 3C31BF71B1CB0AC2E7209F15E8402A9A7E1BF88B90F4D4139DA4CE7751DF3CE5298B48

Function 00007FF6570817DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(?,?,?,?,?,?,?,00007FF6570B76DD), ref: 00007FF6570817EA

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 00007FF657081821, 00007FF65708185F, 00007FF657081891, 00007FF6570818C1
Abandoned wait for multiple objects, index: %u., xrefs: 00007FF65708184E
Failed to wait for multiple objects., xrefs: 00007FF6570818B5

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: MultipleObjectsWait
String ID: Abandoned wait for multiple objects, index: %u.$Failed to wait for multiple objects.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
API String ID: 862713236-4067188417
Opcode ID: d08c2dc520f26964a74738974aea1c32f589d025185e562ae34312eab7a6ab98
Instruction ID: f230967b41545a25ee992432833ca1bb1d056c2fa08fb466a46658cbb046b88b
Opcode Fuzzy Hash: d08c2dc520f26964a74738974aea1c32f589d025185e562ae34312eab7a6ab98
Instruction Fuzzy Hash: AB31C1B1B18746C7E7108B65E8C13A922E1BF84740F68813AD64EE37A5EF3CE90D8745

Function 00007FF6570E7F80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 00007FF6570E8026

Strings

Failed to log id module., xrefs: 00007FF6570E8037
failed to format error code: "0%08x", xrefs: 00007FF6570E7FE1
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E7FF2, 00007FF6570E8043
0x%08x, xrefs: 00007FF6570E7FBB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: __swprintf_l
String ID: 0x%08x$Failed to log id module.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp$failed to format error code: "0%08x"
API String ID: 1488884202-2411163256
Opcode ID: ec2dbcaa49324bb4df1d8346dc2d76fa71f5df717952157a61f54c6b04fec048
Instruction ID: 96a208469465e677ca7dedcea3af55f69d19abffe34ff881ed2c5d50f70b54c5
Opcode Fuzzy Hash: ec2dbcaa49324bb4df1d8346dc2d76fa71f5df717952157a61f54c6b04fec048
Instruction Fuzzy Hash: C221B272718A8A96E720DF42F8405AA77A0FB88754F480136EE4CE3B95DF3CD549CB04

Function 00007FF6570A5354 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6570A53CD

Strings

d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A5398, 00007FF6570A5420
Layout bundle from: '%ls' to: '%ls', xrefs: 00007FF6570A53BE
Failed to combine completed path with engine file name for layout., xrefs: 00007FF6570A5387
Failed to layout bundle from: '%ls' to '%ls', xrefs: 00007FF6570A5431

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: Failed to combine completed path with engine file name for layout.$Failed to layout bundle from: '%ls' to '%ls'$Layout bundle from: '%ls' to: '%ls'$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 2941638530-2807656380
Opcode ID: 857c775585f62fc161abfb204963deb6b189b046421a73eab6c55891603ddffa
Instruction ID: e6fe2e83cb890f06cdd7eea4c25e49e5da58f099e5851dc60e08f470ce512121
Opcode Fuzzy Hash: 857c775585f62fc161abfb204963deb6b189b046421a73eab6c55891603ddffa
Instruction Fuzzy Hash: FC316172718B8582EB208F02E8807AA77A4FB88BC4F584135EA8DD7B59DF3DD515CB40

Function 00007FF6570E807C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

Strings

Error 0x%x: %ls, xrefs: 00007FF6570E8131
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp, xrefs: 00007FF6570E80C2, 00007FF6570E80FA
Failed to convert format string to wide character string, xrefs: 00007FF6570E80B6
Failed to format error message: "%ls", xrefs: 00007FF6570E810C

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID:
String ID: Error 0x%x: %ls$Failed to convert format string to wide character string$Failed to format error message: "%ls"$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\logutil.cpp
API String ID: 0-3266531466
Opcode ID: 83ecfdb9184ed45ca9b88aabc5d8780fd81a3915cd7051c8fe6c1be028fa76f5
Instruction ID: 3e1a9928b5ccccfc82a8027726113d7ae008f2f1b07ef549d963130814d28703
Opcode Fuzzy Hash: 83ecfdb9184ed45ca9b88aabc5d8780fd81a3915cd7051c8fe6c1be028fa76f5
Instruction Fuzzy Hash: 4F217172B1C64A82EB20DF55E4407BA77A0FB89784F480135DA4CE7BA5DF2DD508CB00

Function 00007FF6570F9880 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6570F9948

Strings

Failed to allocate value., xrefs: 00007FF6570F9921
Already processed this value., xrefs: 00007FF6570F98BC
Failed to get value., xrefs: 00007FF6570F98F9
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570F98A6, 00007FF6570F98D0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString
String ID: Already processed this value.$Failed to allocate value.$Failed to get value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
API String ID: 3341692771-474062544
Opcode ID: af4b3357bd25927f957d1befb003ebcfb3e3c8ab7444a466e72a168a40536013
Instruction ID: ad7738f71540c2f0d9e0615884ccb3350327c1175b74e917cac75d82f078b2f4
Opcode Fuzzy Hash: af4b3357bd25927f957d1befb003ebcfb3e3c8ab7444a466e72a168a40536013
Instruction Fuzzy Hash: C521D794B1C70A82FF219B59D98437963E5AF85380F5C0135DA4DD3795EF2DE40D8708

Function 00007FF6570F1538 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF6570F1577

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 00007FF6570F15F0
Failed to get folder path for CSIDL: %d, xrefs: 00007FF6570F1587
Failed to backslash terminate shell folder path: %ls, xrefs: 00007FF6570F15DE
Failed to copy shell folder path: %ls, xrefs: 00007FF6570F15BA

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FolderPath
String ID: Failed to backslash terminate shell folder path: %ls$Failed to copy shell folder path: %ls$Failed to get folder path for CSIDL: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
API String ID: 1514166925-3657258693
Opcode ID: 60d10c7153b133880202fdfd95280996240e265f9bc5e10635a585a269809676
Instruction ID: 9ff6f5096680b98781507510a42955af0185e5fd022a6ea48e7270069a013ef9
Opcode Fuzzy Hash: 60d10c7153b133880202fdfd95280996240e265f9bc5e10635a585a269809676
Instruction Fuzzy Hash: 7321517672CB96C2EB208B15E49066A73A4FB89780F480132EE4DD7B55DF3DD505CB44

Function 00007FF6570F97B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6570F986D

Strings

Failed to get value., xrefs: 00007FF6570F97E4
Already process this datetime value., xrefs: 00007FF6570F983B
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp, xrefs: 00007FF6570F9825, 00007FF6570F984F
Failed to convert value to time., xrefs: 00007FF6570F9809

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FreeString
String ID: Already process this datetime value.$Failed to convert value to time.$Failed to get value.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\atomutil.cpp
API String ID: 3341692771-3942955074
Opcode ID: d6328dcb6cac5bb95e5cf575abaa838cd10fe842309121f5116a0d7df6bae635
Instruction ID: ae24deed0036a027013dfee126f909f468a5f048fd6043b80a867ee3609fb2a3
Opcode Fuzzy Hash: d6328dcb6cac5bb95e5cf575abaa838cd10fe842309121f5116a0d7df6bae635
Instruction Fuzzy Hash: B521CDA1B1C74A86FF108B56E48433963E0AF85384F684135DA4DD7795EF3CE80ACB08

Function 00007FF6570818F4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6570818FC

Strings

Abandoned wait for single object., xrefs: 00007FF657081933
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp, xrefs: 00007FF65708191F, 00007FF65708196D, 00007FF657081990
Failed to wait for single object., xrefs: 00007FF657081979

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ObjectSingleWait
String ID: Abandoned wait for single object.$Failed to wait for single object.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\apputil.cpp
API String ID: 24740636-2056904685
Opcode ID: b02d7eb3b48291a575e7f1eeb203afe4133c3a933711ec44571216533d81f05c
Instruction ID: e2bc142056a453282daed451153ed3e23eabce439b3cfa5765bafe4c633791bb
Opcode Fuzzy Hash: b02d7eb3b48291a575e7f1eeb203afe4133c3a933711ec44571216533d81f05c
Instruction Fuzzy Hash: A31152B0B28646C6F7505764D8817B522D2AF44350F68413EC98EE77E5DE2CE94D8348

Function 00007FF6570AD380 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF6570AD397
CoUninitialize.OLE32 ref: 00007FF6570AD422

Strings

Failed to pump messages in child process., xrefs: 00007FF6570AD3EF
d:\a\wix4\wix4\src\burn\engine\elevation.cpp, xrefs: 00007FF6570AD3B4, 00007FF6570AD400
Failed to initialize COM., xrefs: 00007FF6570AD3A3

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM.$Failed to pump messages in child process.$d:\a\wix4\wix4\src\burn\engine\elevation.cpp
API String ID: 3442037557-3194279326
Opcode ID: 2a2ec3f6f6aa8a75c1a06ce23b38337df34f13b5095af95bb6c8f6563054ed1e
Instruction ID: b9f509f9dd3d129208133c8fed8a3ac1076ebeb243c88fab7ec5075774a9de20
Opcode Fuzzy Hash: 2a2ec3f6f6aa8a75c1a06ce23b38337df34f13b5095af95bb6c8f6563054ed1e
Instruction Fuzzy Hash: 95115475B1C64683E720CB11E4803AAB3A1FB88384F580136EA8DE7B59DF7DE5198B04

Function 00007FF6570DB784 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6570DB7A9
GetProcAddress.KERNEL32 ref: 00007FF6570DB7BF
FreeLibrary.KERNEL32 ref: 00007FF6570DB7E6

Strings

mscoree.dll, xrefs: 00007FF6570DB7A0
CorExitProcess, xrefs: 00007FF6570DB7B8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5265be840e21db70880cc59d7614667791f263de245fb1a15ec7ee3cdf05792b
Instruction ID: 30d1f2450b6e7faa03b99a1eabd2c9b8d3c4a840e9376cd85e03e6b791c83785
Opcode Fuzzy Hash: 5265be840e21db70880cc59d7614667791f263de245fb1a15ec7ee3cdf05792b
Instruction Fuzzy Hash: E2F04FE1A1974A82EB109B24E45533963A0EF447A1F580239D66DE56F4CF2CE04DC304

Function 00007FF6570A332C Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570A34EE

Part of subcall function 00007FF6570F5E0C: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6570A3412), ref: 00007FF6570F5E45

Strings

Failed to get certificate public key identifier., xrefs: 00007FF6570A3522
d:\a\wix4\wix4\src\burn\engine\cache.cpp, xrefs: 00007FF6570A3484, 00007FF6570A3502
Failed to read certificate thumbprint., xrefs: 00007FF6570A34D0
Failed to find expected public key in certificate chain., xrefs: 00007FF6570A3469

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$d:\a\wix4\wix4\src\burn\engine\cache.cpp
API String ID: 1452528299-112932794
Opcode ID: 24d6679d64d6024c27e7c6c6bafcb3b50d8235ac8a567648522d7445d89b5877
Instruction ID: 903f056816edb1cf6b00a8c2e45027c7c99b271618dad774ddfcabd9af2d5e69
Opcode Fuzzy Hash: 24d6679d64d6024c27e7c6c6bafcb3b50d8235ac8a567648522d7445d89b5877
Instruction Fuzzy Hash: F7517B72B18B068AEB50CF62D8802AD67E4FB48B98F484136DE4DE7B54DF78E4598704

Function 00007FF6570F0774 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

Failed to allocate memory for Verutil version from QWORD., xrefs: 00007FF6570F07C0
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp, xrefs: 00007FF6570F07AA, 00007FF6570F07DA, 00007FF6570F0852
%lu.%lu.%lu.%lu, xrefs: 00007FF6570F0805
Failed to allocate and format the version string., xrefs: 00007FF6570F0846

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: HeapProcess
String ID: %lu.%lu.%lu.%lu$Failed to allocate and format the version string.$Failed to allocate memory for Verutil version from QWORD.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\verutil.cpp
API String ID: 54951025-3295944732
Opcode ID: 9633d0f383244bcbde40bd51c41daad63d31851f17d771de66226f27fbd05766
Instruction ID: 08a84e4b3628fb350ed4a84ad5b70ab7f8a877b9e8073baa9d63b499247cdaf5
Opcode Fuzzy Hash: 9633d0f383244bcbde40bd51c41daad63d31851f17d771de66226f27fbd05766
Instruction Fuzzy Hash: 2631A3B2B08749C6DB24CF16E8400A9B7E4FB88794B58413ADA4DD3759DF3CD545CB44

Function 00007FF6570FD034 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570FD056
GetLastError.KERNEL32 ref: 00007FF6570FD0BB

Strings

Failed to get content length string for internet file handle, xrefs: 00007FF6570FD084
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp, xrefs: 00007FF6570FD073, 00007FF6570FD09E, 00007FF6570FD0D8, 00007FF6570FD103
Failed to parse size for internet file handle: %ls, xrefs: 00007FF6570FD0EE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to get content length string for internet file handle$Failed to parse size for internet file handle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\inetutil.cpp
API String ID: 1452528299-1743952032
Opcode ID: 53b5b989afbbe1a8090f54c21baaeb60bd149fab1520ee2149d2a180024078c5
Instruction ID: 688bc858afd2bc8f7caa3dea5ee10b13d4fad92e05b9c541f67f4ca7f810f5ca
Opcode Fuzzy Hash: 53b5b989afbbe1a8090f54c21baaeb60bd149fab1520ee2149d2a180024078c5
Instruction Fuzzy Hash: 5F21B2B1B18B4AC2E7109B62E8802AA73A5FF84750F480136DA4ED3B95DF3CE519C748

Function 00007FF6570D1E38 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF6570B8920), ref: 00007FF6570D1E61
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF6570B8920), ref: 00007FF6570D1EF7

Strings

Failed to set feed download URL., xrefs: 00007FF6570D1ECE
Engine is active, cannot change engine state., xrefs: 00007FF6570D1E7C
d:\a\wix4\wix4\src\burn\engine\externalengine.cpp, xrefs: 00007FF6570D1E8D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Engine is active, cannot change engine state.$Failed to set feed download URL.$d:\a\wix4\wix4\src\burn\engine\externalengine.cpp
API String ID: 3168844106-105427012
Opcode ID: 95fe6d35b8dc779d8a2aca135ee43d456ef53feef04488036ac1094bb4f4b8f8
Instruction ID: 9b31d0fcaff5cf689db7d1fab3482bca7568620a8d1eb214ff59ab4875c1d637
Opcode Fuzzy Hash: 95fe6d35b8dc779d8a2aca135ee43d456ef53feef04488036ac1094bb4f4b8f8
Instruction Fuzzy Hash: 8321A165B18B9687EB259F12E4402B9A3A4FF88B84F4D4131DE4CE3B91DF3CE55A8304

Function 00007FF65708C850 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF65708C872
LeaveCriticalSection.KERNEL32 ref: 00007FF65708C904

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C8E0
Failed to get value as version for variable: %ls, xrefs: 00007FF65708C8CF
Failed to get value of variable: %ls, xrefs: 00007FF65708C8AC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1616145386
Opcode ID: c1432041acffda1ce24f51658353c6afcff43e34905e735428815f3fdc33d8e7
Instruction ID: dbaa5aba4e0c3ced4ec4913a51ddab4eceb0ea37bb58f8d87aff5dd18bff5862
Opcode Fuzzy Hash: c1432041acffda1ce24f51658353c6afcff43e34905e735428815f3fdc33d8e7
Instruction Fuzzy Hash: 9221D2A1B08B4AC6FB109B01E48436A67A0FB88BA4F4C4275DE4DE7795DF7CE549C740

Function 00007FF65708C6C4 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF65708C6E6
LeaveCriticalSection.KERNEL32 ref: 00007FF65708C775

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C751
Failed to get value as string for variable: %ls, xrefs: 00007FF65708C740
Failed to get value of variable: %ls, xrefs: 00007FF65708C720

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1150034902
Opcode ID: 2eb73b23d6ae166411412550206dbc74be1a42241587657663f1bec5297220d1
Instruction ID: e590a1eba3a753cbe7932b01c6f6a6e7199514959f68abd4a635218fe970c79c
Opcode Fuzzy Hash: 2eb73b23d6ae166411412550206dbc74be1a42241587657663f1bec5297220d1
Instruction Fuzzy Hash: 4A119DB1B08B4AC6EB10DB02E88426A67A0FB88BD4F1C4135DA4DE7B95CF7DE549C700

Function 00007FF65708C5F4 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000), ref: 00007FF65708C616
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000), ref: 00007FF65708C6A5

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C681
Failed to get value of variable: %ls, xrefs: 00007FF65708C650
Failed to get value as numeric for variable: %ls, xrefs: 00007FF65708C670

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1964378859
Opcode ID: 2607b6bd303937cd258ed415a5af3f34781557be8cf994a9684afc9b0ee7b010
Instruction ID: b885a981cbcb174a50e7e1127fdea4dbeb5c1117dd25dc0c7d5b29f8440c98f5
Opcode Fuzzy Hash: 2607b6bd303937cd258ed415a5af3f34781557be8cf994a9684afc9b0ee7b010
Instruction Fuzzy Hash: 3D11AFF1B08B5686EB109B02E88437A67A0FB88BE4F184135DA4DE7B55CF7CE559C704

Function 00007FF6570DE380 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6570DA3BB,?,?,00000000,00007FF6570DA656,?,?,?,?,?,00007FF6570DA5E2), ref: 00007FF6570DE39F
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA3BB,?,?,00000000,00007FF6570DA656,?,?,?,?,?,00007FF6570DA5E2), ref: 00007FF6570DE3BE
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA3BB,?,?,00000000,00007FF6570DA656,?,?,?,?,?,00007FF6570DA5E2), ref: 00007FF6570DE3E6
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA3BB,?,?,00000000,00007FF6570DA656,?,?,?,?,?,00007FF6570DA5E2), ref: 00007FF6570DE3F7
FlsSetValue.KERNEL32(?,?,?,00007FF6570DA3BB,?,?,00000000,00007FF6570DA656,?,?,?,?,?,00007FF6570DA5E2), ref: 00007FF6570DE408

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f302dbae5d0bc6288c9314cf8b6c221561df70a0060d62d4ab23de99c67f51b9
Instruction ID: 982972a83ea76fdc00ef72b5a19e34151ca5541aa66a04bb9ae16e6e55ecfd54
Opcode Fuzzy Hash: f302dbae5d0bc6288c9314cf8b6c221561df70a0060d62d4ab23de99c67f51b9
Instruction Fuzzy Hash: 9811AFA0E0874B82FF68A731A54513A21C26F847B4F5C4334F97EE66D6DE7CF44A8208

Function 00007FF6570DE214 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6570DE225
FlsSetValue.KERNEL32 ref: 00007FF6570DE244
FlsSetValue.KERNEL32 ref: 00007FF6570DE26C
FlsSetValue.KERNEL32 ref: 00007FF6570DE27D
FlsSetValue.KERNEL32 ref: 00007FF6570DE28E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92d4853f9bbdd39c811b8a8b46b0882b8177f75986b6b915a0c50430598f6381
Instruction ID: 5d8c54e9876b4a061e661b413e3c60248d4e4015eb4de3a95944556db1cca6e8
Opcode Fuzzy Hash: 92d4853f9bbdd39c811b8a8b46b0882b8177f75986b6b915a0c50430598f6381
Instruction Fuzzy Hash: CE113C90E0830F82FF68A771941267A12C15F85374F5C0B38E93DEA2D3ED3CB4494208

Function 00007FF65708C794 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65708C7B6
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65708C833

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708C80F
Failed to copy value of variable: %ls, xrefs: 00007FF65708C7FE
Failed to get value of variable: %ls, xrefs: 00007FF65708C7D9

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-3684767681
Opcode ID: dcc9417831fc31315e82519a02b7561bb6554119f6288cd935556dffc3b18f1a
Instruction ID: d3714784d26009914174b6fed9cf2ff3777767e54714f97e7195909db2642a34
Opcode Fuzzy Hash: dcc9417831fc31315e82519a02b7561bb6554119f6288cd935556dffc3b18f1a
Instruction Fuzzy Hash: 12119EA1B18B8686EB10DB12E88426A67A4FB88BD0F084135EE8DD7B55DF7CE559C700

Function 00007FF6570D3250 Relevance: 7.5, APIs: 5, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF6570D3265
CloseHandle.KERNEL32 ref: 00007FF6570D3278
CloseHandle.KERNEL32 ref: 00007FF6570D328C
CloseHandle.KERNEL32 ref: 00007FF6570D32A0
UnmapViewOfFile.KERNEL32 ref: 00007FF6570D32B4

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 1b98caab4a36da19b52b209f3163e47852b678859b0a5da766c622f73ea9f467
Instruction ID: 5b3d631fd5766ca7bbda5dc72227131413828f95a1c9522a7f215f65e08b65a1
Opcode Fuzzy Hash: 1b98caab4a36da19b52b209f3163e47852b678859b0a5da766c622f73ea9f467
Instruction Fuzzy Hash: 8801D6AAA0AA4A86FF699FA1D86533863A0EF44F44F0C4534C90EDA154DF7CE4588298

Function 00007FF6570D6FC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6570D6FEC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6570D70D4

Strings

csm, xrefs: 00007FF6570D7126
csm, xrefs: 00007FF6570D700E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 4d9676954442bf96d237a56c501979dc03a8134797853d3bb2f8187c96ed76f3
Instruction ID: 51edee9cbd69cce32fc6849cbe024254f14528c2e21ae142737ab4897557264b
Opcode Fuzzy Hash: 4d9676954442bf96d237a56c501979dc03a8134797853d3bb2f8187c96ed76f3
Instruction Fuzzy Hash: FB5192B690834A8AEB348F25944427876E0EB44B94F186235DB9CE7BD5CF3CE459CB48

Function 00007FF6570F3828 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570F3905

Strings

Invalid dictionary - bucket size index is out of range, xrefs: 00007FF6570F3858
Failed to hash the string., xrefs: 00007FF6570F38A9
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp, xrefs: 00007FF6570F386F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to hash the string.$Invalid dictionary - bucket size index is out of range$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dictutil.cpp
API String ID: 1825529933-1798595610
Opcode ID: b21b11f71abef4484a5c858234bd56fe1f08b4f546422d009895f67449168a1c
Instruction ID: 54f52c389e7ac4950a91f1c754ce7ec5ff1042dc836797adad10c3492c43299c
Opcode Fuzzy Hash: b21b11f71abef4484a5c858234bd56fe1f08b4f546422d009895f67449168a1c
Instruction Fuzzy Hash: 533182B2A08B46C6EB10CF06E48056DB7A0FB88B64F584235DA5DD77A0CF3DE856C704

Function 00007FF6570F68A4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF6570F6988

Strings

Failed to open policy key: %ls, name: %ls, xrefs: 00007FF6570F694E
Failed to open policy key: %ls, xrefs: 00007FF6570F68DE
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp, xrefs: 00007FF6570F68FE, 00007FF6570F695F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Close
String ID: Failed to open policy key: %ls$Failed to open policy key: %ls, name: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\polcutil.cpp
API String ID: 3535843008-3938230626
Opcode ID: d973429e640475dbb90c0a1eff05d2deba26d9ef3adbe27ff8f935dd0b2eb6e8
Instruction ID: ccf78d1753bfda447d52e22d104200c4a8e47f12bc49c4e9194e519290d48789
Opcode Fuzzy Hash: d973429e640475dbb90c0a1eff05d2deba26d9ef3adbe27ff8f935dd0b2eb6e8
Instruction Fuzzy Hash: 243172B271C74A86EB218F52E4806A973A8FB88B90F584239DB4DD3750DF3CE959C704

Function 00007FF6570F82E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F85F8: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,?), ref: 00007FF6570F870E
Part of subcall function 00007FF6570F85F8: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,?), ref: 00007FF6570F872F

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6570F9155), ref: 00007FF6570F83C7

Strings

HEAD, xrefs: 00007FF6570F8330
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp, xrefs: 00007FF6570F8362
Failed to connect to URL: %ls, xrefs: 00007FF6570F834D

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Timelstrlen$FileSystem
String ID: Failed to connect to URL: %ls$HEAD$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\dlutil.cpp
API String ID: 3954044709-1251758901
Opcode ID: 195a85674bb04444b13010bc2e7cc85395699d1c0fcdb0906663edb84740c2e5
Instruction ID: 0a1cd5f15d9141a4632108695ced7e638ba454539e7f0cc7c590a9233f468ba7
Opcode Fuzzy Hash: 195a85674bb04444b13010bc2e7cc85395699d1c0fcdb0906663edb84740c2e5
Instruction Fuzzy Hash: 5531367270CB8A85DB20CF12E8841AD73A4FB88B80F590136DA9DD7B64DF39D958C744

Function 00007FF6570F2858 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00009002), ref: 00007FF6570F28AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00009002), ref: 00007FF6570F28B5

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F28EB, 00007FF6570F290E
Failed to read data from file handle., xrefs: 00007FF6570F2902

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to read data from file handle.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 1948546556-2736598211
Opcode ID: d725aed0b7f6d72eca70223a0333dc4b9cadb5037894a78989eac7f154f13a73
Instruction ID: 6998b677ffc2daabb295c9994e2199d659e1564c6a3e04679888c083ceda60ea
Opcode Fuzzy Hash: d725aed0b7f6d72eca70223a0333dc4b9cadb5037894a78989eac7f154f13a73
Instruction Fuzzy Hash: 7921C572B08B9986E720DF56E840669A7E0FB84BA0F480235DE4CD3794DF3CE54AC704

Function 00007FF6570EB4F8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA674: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

RegCloseKey.ADVAPI32 ref: 00007FF6570EB5D8

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EB55C, 00007FF6570EB5B5
Failed to read value type: %ls/@%ls, xrefs: 00007FF6570EB59E
Failed to open key: %ls, xrefs: 00007FF6570EB54B

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open key: %ls$Failed to read value type: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 47109696-3852982929
Opcode ID: 7e0f4dc421d206c0b62ae5bae23aba5848e9f73f7f7c3a181bc54c62559296f1
Instruction ID: cad7c52a54cb83ca7fa82ccdddf5c71413f652686bae7a224ee6521b5e1a5117
Opcode Fuzzy Hash: 7e0f4dc421d206c0b62ae5bae23aba5848e9f73f7f7c3a181bc54c62559296f1
Instruction Fuzzy Hash: B5215E72B0874A86EB209B01F48176976E0FB85B90F580235EA4DD7B95DF3DE948CB00

Function 00007FF6570D32C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,00007FF6570D3604), ref: 00007FF6570D32F6
ReleaseMutex.KERNEL32(?,?,?,?,?,00007FF6570D3604), ref: 00007FF6570D33A5

Part of subcall function 00007FF657086828: GetProcessHeap.KERNEL32(?,?,00000000,00007FF657082158,?,?,?,?,?,?,00000000,00007FF657081F49,?,?,?,00000000), ref: 00007FF65708683C

Strings

Failed to allocate memory for message data, xrefs: 00007FF6570D3352
d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp, xrefs: 00007FF6570D3337, 00007FF6570D335E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: HeapMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$d:\a\wix4\wix4\src\burn\engine\netfxchainer.cpp
API String ID: 1927941271-954368992
Opcode ID: c654562947861c8fe8a31c9448c68e3616df2fbd3b986bb2c51ff1e735ed6fea
Instruction ID: 88f90b4a38b111c00331e77a4424c3ba58b34206a778944198f0d379091b35b6
Opcode Fuzzy Hash: c654562947861c8fe8a31c9448c68e3616df2fbd3b986bb2c51ff1e735ed6fea
Instruction Fuzzy Hash: FB2148B6704B54C2E710CF12E440269BBA0FB88F90F498635EB4C97B95DF39E429CB44

Function 00007FF6570EA564 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA674: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

RegCloseKey.ADVAPI32 ref: 00007FF6570EA642

Strings

Failed to read value: %ls/@%ls, xrefs: 00007FF6570EA608
d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp, xrefs: 00007FF6570EA5C3, 00007FF6570EA61F
Failed to open key: %ls, xrefs: 00007FF6570EA5B2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open key: %ls$Failed to read value: %ls/@%ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\regutil.cpp
API String ID: 47109696-2566192520
Opcode ID: 3b130d45959f5c6743606b870a15f0967d14906804007f36e1cfbab80d00caa5
Instruction ID: 0006d9b4aac8d59c004d13f95a380a8b7a041ae0c60f937d7185502d24e8d05d
Opcode Fuzzy Hash: 3b130d45959f5c6743606b870a15f0967d14906804007f36e1cfbab80d00caa5
Instruction Fuzzy Hash: D92171B2B1879A85EB209B01E4842BD72E4FB89790F580239DA4DE3B95DF3DD949C700

Function 00007FF6570CF2BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570F2798: FindFirstFileW.KERNEL32 ref: 00007FF6570F27DE
Part of subcall function 00007FF6570F2798: FindClose.KERNEL32 ref: 00007FF6570F27ED

SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00007FF6570CBD3B,?,?,?,?,00000000,00000000,?,00007FF6570CECC6), ref: 00007FF6570CF2FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6570CBD3B,?,?,?,?,00000000,00000000,?,00007FF6570CECC6), ref: 00007FF6570CF308

Strings

Failed to clear readonly bit on payload destination path: %ls, xrefs: 00007FF6570CF34D
d:\a\wix4\wix4\src\burn\engine\apply.cpp, xrefs: 00007FF6570CF33C, 00007FF6570CF35E

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLast
String ID: Failed to clear readonly bit on payload destination path: %ls$d:\a\wix4\wix4\src\burn\engine\apply.cpp
API String ID: 1980345056-600630982
Opcode ID: 307c8b9bc2cc2462c9feeea8b47fff988392d13b030302f8740b76046eb824d5
Instruction ID: 4be9196c00600ba0b5cbc4dfb6616c5cc5f8daa6a52f13e5a70baafbca8191bf
Opcode Fuzzy Hash: 307c8b9bc2cc2462c9feeea8b47fff988392d13b030302f8740b76046eb824d5
Instruction Fuzzy Hash: FB11D5F2B0874682E7109B55E98026AB7E8EF94BE0F580136D94DD7394CF7CE8488754

Function 00007FF6570A7FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF6570A7FD5
CoUninitialize.OLE32 ref: 00007FF6570A8059

Strings

Failed to initialize COM on cache thread., xrefs: 00007FF6570A7FE8
d:\a\wix4\wix4\src\burn\engine\core.cpp, xrefs: 00007FF6570A8007

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.$d:\a\wix4\wix4\src\burn\engine\core.cpp
API String ID: 3442037557-102543622
Opcode ID: b12ce03a8c121ae674c7b9beede6cb57c4867d743a30035a42eefaf89a64d3af
Instruction ID: 265b82324a78ffbaacf6d6fa183290c03af26c6b5fe2ec0281bbb1a85f03e237
Opcode Fuzzy Hash: b12ce03a8c121ae674c7b9beede6cb57c4867d743a30035a42eefaf89a64d3af
Instruction Fuzzy Hash: 4A116A72B08B8A86D764CF22E4401AAB3A0F788B94F484132DF8DD3755CF38E569C744

Function 00007FF6570EE764 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6570EE786
SysFreeString.OLEAUT32 ref: 00007FF6570EE7F3

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp, xrefs: 00007FF6570EE79F, 00007FF6570EE7C7
failed SysAllocString, xrefs: 00007FF6570EE7AD

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: String$AllocFree
String ID: d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\xmlutil.cpp$failed SysAllocString
API String ID: 344208780-608482133
Opcode ID: f0480deedfbd0f0703d6dd9f65a9d56f3cbef12a1d339df6ab43f0eb338fe897
Instruction ID: 4b01f9e835cf0e475472c6478362238598f4f27c1ec7fcb3af65d9b72cf34d4c
Opcode Fuzzy Hash: f0480deedfbd0f0703d6dd9f65a9d56f3cbef12a1d339df6ab43f0eb338fe897
Instruction Fuzzy Hash: 4A118CA5B1878EC2EB10CB16E9401B963A1AF89BD0B5C4135CE4DE3B65DF3CE55A8704

Function 00007FF65708B3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF65708B3EA

Part of subcall function 00007FF6570E94B4: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6570E94E1
Part of subcall function 00007FF6570E94B4: GetLastError.KERNEL32 ref: 00007FF6570E94EB

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708B417, 00007FF65708B45E
Failed to set variant value., xrefs: 00007FF65708B44D
Failed to check if process token has privilege: %ls., xrefs: 00007FF65708B406

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CurrentErrorLastLookupPrivilegeProcessValue
String ID: Failed to check if process token has privilege: %ls.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3865200005-2747678004
Opcode ID: 1be94d98c973188314bce5df5c29b0b9420840484a4c192c0a51e56afc0ed3c2
Instruction ID: 56e3e49483ee17524aac0b20df02311f86b44cc8373919c5140a9968a3ef189b
Opcode Fuzzy Hash: 1be94d98c973188314bce5df5c29b0b9420840484a4c192c0a51e56afc0ed3c2
Instruction Fuzzy Hash: DD115471B0CB8682EB10DB41F48026AA7A4FB487D4F484139EA8CD7B99DFBCD119CB40

Function 00007FF6570F3090 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF6570F30A7
GetLastError.KERNEL32 ref: 00007FF6570F30B1

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp, xrefs: 00007FF6570F30DB, 00007FF6570F30F9
Failed to get size of file., xrefs: 00007FF6570F30ED

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: Failed to get size of file.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\fileutil.cpp
API String ID: 464720113-3816715765
Opcode ID: 5ebdf16604ac2e6e306c0d264ed995e62e7b71d363c7acebbf840bd6e1ed392f
Instruction ID: b1bfab681a8a90f4676b0a0d77723afb4c0ba072b5fcbce469387c2a61f72daa
Opcode Fuzzy Hash: 5ebdf16604ac2e6e306c0d264ed995e62e7b71d363c7acebbf840bd6e1ed392f
Instruction Fuzzy Hash: E3017572B08B45C6EB109F1AE8901B973E5AF887A0F5C403ADA4ED7764DE3CD5598708

Function 00007FF65708B050 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF65708B069

Part of subcall function 00007FF6570E95E8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E960E
Part of subcall function 00007FF6570E95E8: GetProcAddress.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E961E
Part of subcall function 00007FF6570E95E8: GetLastError.KERNEL32(?,?,?,?,?,00007FF65708B07C), ref: 00007FF6570E9645

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708B0B9
Failed to get native machine value., xrefs: 00007FF65708B082
Failed to set variant value., xrefs: 00007FF65708B0A8

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get native machine value.$Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 896058289-3337725491
Opcode ID: 6b9a3f1191d9a0b80a97dc97a495c8f92b32eb4ef93ffa72da7dd6093c9789fc
Instruction ID: 1c1fad4f98c23d7a653c7b0a0016e2f54b1b2d95f83aea5c1a82caa65ddf5aac
Opcode Fuzzy Hash: 6b9a3f1191d9a0b80a97dc97a495c8f92b32eb4ef93ffa72da7dd6093c9789fc
Instruction Fuzzy Hash: CD01D661B1CA9682EB10DB55E48056BA3A0FF84790F480135EE9CD3759EF6CE1098B01

Function 00007FF657099384 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,00007FF657088679), ref: 00007FF6570993B7
FreeLibrary.KERNEL32(?,?,?,00007FF657088679), ref: 00007FF6570993DC
GetLastError.KERNEL32(?,?,?,00007FF657088679), ref: 00007FF6570993E6

Strings

BootstrapperApplicationDestroy, xrefs: 00007FF6570993B0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 8040c1b8992b840429c8a18cfd7bbb8d9c305637a9c14a98cd9402716d6c778d
Instruction ID: 8843966db301ad44c24252441444e2018de8f8e21bc0c281d2ffdcffbbbed2e7
Opcode Fuzzy Hash: 8040c1b8992b840429c8a18cfd7bbb8d9c305637a9c14a98cd9402716d6c778d
Instruction Fuzzy Hash: BB0180B2A2868687EB408F15E48423973F0FB94B44F484135E74EC7554EF3CE899C700

Function 00007FF6570932FC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,00007FF657088CA9), ref: 00007FF657093338
FreeLibrary.KERNEL32(?,?,?,00007FF657088CA9), ref: 00007FF65709334E
GetLastError.KERNEL32(?,?,?,00007FF657088CA9), ref: 00007FF657093358

Strings

BundleExtensionDestroy, xrefs: 00007FF657093331

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BundleExtensionDestroy
API String ID: 1144718084-3206861012
Opcode ID: 834f6dbf132107654f54383a4784ef038e404e45486db7456822bee6f463f941
Instruction ID: 28fc5c99ef002ec99d9bfb891a1f01f287e3d1b0667480c6b78eeee0b764b973
Opcode Fuzzy Hash: 834f6dbf132107654f54383a4784ef038e404e45486db7456822bee6f463f941
Instruction Fuzzy Hash: 24015B72A19A45D6EB019F22E84132973E0FB84F88F0C8535D65EE3658CF3CE59ACB04

Function 00007FF6570B6570 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,00000000,00007FF6570B791A,?,?,?,?,00000000,00007FF657091526), ref: 00007FF6570B657D
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6570B791A,?,?,?,?,00000000,00007FF657091526), ref: 00007FF6570B6587

Strings

d:\a\wix4\wix4\src\burn\engine\cabextract.cpp, xrefs: 00007FF6570B659B, 00007FF6570B65CA
Failed to set begin operation event., xrefs: 00007FF6570B65BE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$d:\a\wix4\wix4\src\burn\engine\cabextract.cpp
API String ID: 3848097054-3005980414
Opcode ID: a7294b9593fcab44abb805d8fe2cba3e8d723f3810056adfe15ffc8dbc12cdf7
Instruction ID: 451bca4dffa692c6dee1a565574f088b95f5dcd4c63bbe49e91da451b55a4f29
Opcode Fuzzy Hash: a7294b9593fcab44abb805d8fe2cba3e8d723f3810056adfe15ffc8dbc12cdf7
Instruction Fuzzy Hash: B201A9A0B1870986F7109F65F8C06B923D4AF58B50F4C0135DD4ED76A1DE2CF6198714

Function 00007FF6570E4698 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6570E4683,00000000), ref: 00007FF6570E47B4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6570E4683,00000000), ref: 00007FF6570E483F

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 9b93c8684649af2708d4c6c5d59f2dd9f1a1ee6e4cfe314bb53aca832c78c319
Instruction ID: 9da9382987b63a25c1a04aee5ed747b1fe097ff1af45cb05f2d053f0830b49bb
Opcode Fuzzy Hash: 9b93c8684649af2708d4c6c5d59f2dd9f1a1ee6e4cfe314bb53aca832c78c319
Instruction Fuzzy Hash: 1E91A2A2F0869F85F7A08F6594806BD2BE0AB45B88F5C4139FE4EF7684DE38D449C700

Function 00007FF6570F162C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6570F16DC
CloseHandle.KERNEL32 ref: 00007FF6570F1745

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp, xrefs: 00007FF6570F16F0, 00007FF6570F1730
ShellExecEx failed with return code: %d, xrefs: 00007FF6570F1712

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: ShellExecEx failed with return code: %d$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\shelutil.cpp
API String ID: 918212764-2133313566
Opcode ID: e69d4f336506fcaea0130c40c91e290d7fdbec3ace6dceecfb2f055259f037db
Instruction ID: fe72146fe40cb16127f3060336a460d14eb6620fe5f3583718c3783ad54318d3
Opcode Fuzzy Hash: e69d4f336506fcaea0130c40c91e290d7fdbec3ace6dceecfb2f055259f037db
Instruction Fuzzy Hash: 30413876B25B458AEB20CF65E8406A933E5FB48B88F190135DE4DE3B54DF38D81AC744

Function 00007FF65708D7A0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65708D7C2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF65708D82D

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708D7FD
Failed to get visibility of variable: %ls, xrefs: 00007FF65708D7EC

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get visibility of variable: %ls$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 3168844106-1405185440
Opcode ID: 3157d9cadce27a172ff07b2d371a0fb2d835f1df5e09024e0b736305642b4d71
Instruction ID: a258859af165ead436bf96c4a51008cb2ffa174ddba6ad6119ec4d820e033d73
Opcode Fuzzy Hash: 3157d9cadce27a172ff07b2d371a0fb2d835f1df5e09024e0b736305642b4d71
Instruction Fuzzy Hash: 46119EB2A18B96C6E7109F02E48026A77A0FB98F90F484139DB4DD3B54CF7CE55AC744

Function 00007FF657088250 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF657088263
SetEvent.KERNEL32 ref: 00007FF657088282
GetLastError.KERNEL32 ref: 00007FF65708828C
LeaveCriticalSection.KERNEL32 ref: 00007FF657088295

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CriticalSection$EnterErrorEventLastLeave
String ID:
API String ID: 2851136515-0
Opcode ID: c562eb490bc41f483973d55a8e6c4b438559ecbcf11e53de4dd64529f6b988b5
Instruction ID: 857a97de4f5605597d0a143619799632643a8f6f01a476ab04989020b93b729e
Opcode Fuzzy Hash: c562eb490bc41f483973d55a8e6c4b438559ecbcf11e53de4dd64529f6b988b5
Instruction Fuzzy Hash: 22F012D171894782EB146B66E99493963A0EF49BD4F485030DA0ED7655DE2CF4988704

Function 00007FF6570DB0A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6570DB0DA

Part of subcall function 00007FF6570DC91C: HeapFree.KERNEL32(?,?,00000000,00007FF6570E0212,?,?,?,00007FF6570E024F,?,?,00000000,00007FF6570E0749,?,?,?,00007FF6570E067B), ref: 00007FF6570DC932
Part of subcall function 00007FF6570DC91C: GetLastError.KERNEL32(?,?,00000000,00007FF6570E0212,?,?,?,00007FF6570E024F,?,?,00000000,00007FF6570E0749,?,?,?,00007FF6570E067B), ref: 00007FF6570DC93C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6570D3BC5), ref: 00007FF6570DB0F8

Strings

C:\Users\user\Desktop\VmjvNTbD5J.exe, xrefs: 00007FF6570DB0E6

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\VmjvNTbD5J.exe
API String ID: 3580290477-1075079528
Opcode ID: dc28049cd6b234c3fc6132be077034b75c04e15d0a5f963cd9a2e0be23ef2459
Instruction ID: cbb0b31be953d4a97e05c386aa585f51854914143fd11125f31d4a1effb59dc1
Opcode Fuzzy Hash: dc28049cd6b234c3fc6132be077034b75c04e15d0a5f963cd9a2e0be23ef2459
Instruction Fuzzy Hash: 40416EB6A0875A89EB14AF25A8810BD76E5EF44BD4B4C4035EA4EE3B45DF3CE9498304

Function 00007FF6570E4408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6570E451F
GetLastError.KERNEL32 ref: 00007FF6570E4541

Strings

U, xrefs: 00007FF6570E44CB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 241ae4cb15b864cda83524f68f3b7dc5ff12d7398406e8703363b57b10766c99
Instruction ID: cc754094dd44b017d9b6a6c496cd5a1c70d9b5117c46a9e0273260d7431ad1f5
Opcode Fuzzy Hash: 241ae4cb15b864cda83524f68f3b7dc5ff12d7398406e8703363b57b10766c99
Instruction Fuzzy Hash: 9141C3A2B18A8A81DB60CF25E4443A977A0FB88794F594031FE4DD7B98DF7CE445C740

Function 00007FF6570C210C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00007FF6570C2188

Strings

Failed to add chained patch., xrefs: 00007FF6570C21CA
d:\a\wix4\wix4\src\burn\engine\mspengine.cpp, xrefs: 00007FF6570C21DB

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareString
String ID: Failed to add chained patch.$d:\a\wix4\wix4\src\burn\engine\mspengine.cpp
API String ID: 1825529933-1868150798
Opcode ID: eb28502aaf13a03f912d075f369a35390b49c81a9de07fdc5edd64d39a0e62cb
Instruction ID: 9f23290c5f6041af318751be280220312cac61f4f4f7c4845b7e93332073619e
Opcode Fuzzy Hash: eb28502aaf13a03f912d075f369a35390b49c81a9de07fdc5edd64d39a0e62cb
Instruction Fuzzy Hash: 763138B2B14A4596E724CF19E880AADB7A4F744794F584136DE5DE3BA0CF3CE496C700

Function 00007FF6570F7648 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570EA674: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,00007FF6570EA66D), ref: 00007FF6570EA6C1

RegCloseKey.ADVAPI32 ref: 00007FF6570F7728

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp, xrefs: 00007FF6570F76C1
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00007FF6570F76B0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open uninstall key for potential related bundle: %ls$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\butil.cpp
API String ID: 47109696-3466351475
Opcode ID: 43c684ff03948c721dc28f214240550a10515e6c4d13b73b4854f953ffc7e857
Instruction ID: ff3df488af2abc208c2fc3cdc834204ea4a6216dc959626eda3f34bb87bf4c0f
Opcode Fuzzy Hash: 43c684ff03948c721dc28f214240550a10515e6c4d13b73b4854f953ffc7e857
Instruction Fuzzy Hash: 533157B6B14B558AE710CF62E8406AD37A0FB48B98F484135EE4DA3B18DF38D515CB00

Function 00007FF6570B586C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF657083250: FormatMessageW.KERNEL32 ref: 00007FF6570832A4
Part of subcall function 00007FF657083250: GetLastError.KERNEL32 ref: 00007FF6570832B4
Part of subcall function 00007FF657083250: LocalFree.KERNEL32 ref: 00007FF657083365

MessageBoxW.USER32 ref: 00007FF6570B58E2

Strings

Failed to allocate string to display error message, xrefs: 00007FF6570B58A2
d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp, xrefs: 00007FF6570B58AE

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLocal
String ID: Failed to allocate string to display error message$d:\a\wix4\wix4\src\burn\engine\splashscreen.cpp
API String ID: 2195691534-719764090
Opcode ID: 09451a68cb9bba779cb9ec40a3cf89021201b6ca1d4afd7175b65764d0b6e864
Instruction ID: 4c83f30b221e3ecf0d693f835543502ff2a37ce2cb8cdc0e98dd43e783c997a0
Opcode Fuzzy Hash: 09451a68cb9bba779cb9ec40a3cf89021201b6ca1d4afd7175b65764d0b6e864
Instruction Fuzzy Hash: 4C11E1B2F0865582E7208B56E45077E73A0FB48BC0FA84136EA4DE7B55DF3DEA498700

Function 00007FF6570893CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,00007FF657081190), ref: 00007FF6570893FF
CompareStringW.KERNEL32(?,?,?,?,?,00007FF657081190), ref: 00007FF657089442

Strings

burn.clean.room, xrefs: 00007FF6570893E1

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: ad14d0f9418f693a815ad40dc2e2055b593c211d88fb7df31a6088137c986642
Instruction ID: 17e869f797b187ef00126952eae9b83a399cce2c44b3a6dafdf0b7fb8a0da19c
Opcode Fuzzy Hash: ad14d0f9418f693a815ad40dc2e2055b593c211d88fb7df31a6088137c986642
Instruction Fuzzy Hash: 1A01A9B1B2824A82EB209F15A444539B7A0FB58B84F5C0035DA4CE3B98DF2CEA59CB00

Function 00007FF65708B5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00007FF65708B5D1

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708B612
Failed to set variant value., xrefs: 00007FF65708B601

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: InfoNativeSystem
String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 1721193555-2731189036
Opcode ID: 51651b8b99521edf3b2065d24b1c0972709de01fabf245201aaf872e11e5ed41
Instruction ID: 2a028129b94f617950fa49d10ed2fcfb2360f4b50e4dca6442a91429e82b6ef7
Opcode Fuzzy Hash: 51651b8b99521edf3b2065d24b1c0972709de01fabf245201aaf872e11e5ed41
Instruction Fuzzy Hash: 13014472B28A8582D750DB11F4805AAB3A0FB94784F584135FA9ED7B59DF3CD958CB00

Function 00007FF6570E96BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6570E92C0: OpenProcessToken.ADVAPI32(?,00007FF6570E96E2), ref: 00007FF6570E92EA
Part of subcall function 00007FF6570E92C0: GetLastError.KERNEL32 ref: 00007FF6570E92F4
Part of subcall function 00007FF6570E92C0: CloseHandle.KERNEL32 ref: 00007FF6570E9495

IsWellKnownSid.ADVAPI32 ref: 00007FF6570E9720

Strings

d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp, xrefs: 00007FF6570E96FE
Failed to get TokenUser from process token., xrefs: 00007FF6570E96F2

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseErrorHandleKnownLastOpenProcessTokenWell
String ID: Failed to get TokenUser from process token.$d:\a\wix4\wix4\src\libs\dutil\wixtoolset.dutil\procutil.cpp
API String ID: 3112027504-95618751
Opcode ID: c0fb00d49a4fb78e57319cd994e959f9190896fe42b74e644aeaab94d7c369e2
Instruction ID: cbfec6323570803a32c4ad0398a3a57fd9a48b7c7dd544b409439e8a955edc08
Opcode Fuzzy Hash: c0fb00d49a4fb78e57319cd994e959f9190896fe42b74e644aeaab94d7c369e2
Instruction Fuzzy Hash: 33016DB6A18A4A86EF108F12E4002A977A4EB84B90F5C4131DA4CE7765DE3CD949C740

Function 00007FF65708A770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF65708A779

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708A7A1
Failed to set variant value., xrefs: 00007FF65708A790

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DefaultLangSystem
String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 706401283-2731189036
Opcode ID: ebfd84084d59ec19a3c0dd7174503bd49dfbc01ee25f5b5bd8c4fd50321b90ed
Instruction ID: c16af40f3fddf632b681a52483f52ef0f7e8813b84f8037c905cbbbfcc059f12
Opcode Fuzzy Hash: ebfd84084d59ec19a3c0dd7174503bd49dfbc01ee25f5b5bd8c4fd50321b90ed
Instruction Fuzzy Hash: 4BE092A4B18A9682FF14DB11E8802B653A0AF98350F4C0039DD8DD7795DE3CE15D8700

Function 00007FF65708A7D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00007FF65708A7D9

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708A801
Failed to set variant value., xrefs: 00007FF65708A7F0

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DefaultLangUser
String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 768647712-2731189036
Opcode ID: 487de733fae6fef32328cc5a54f210b864faeda92fa39184569585251416f309
Instruction ID: 6b28a274a45e3aad875ee70741f84f51f4c94e9a7e6abba90c9ba13d5de7fd2d
Opcode Fuzzy Hash: 487de733fae6fef32328cc5a54f210b864faeda92fa39184569585251416f309
Instruction Fuzzy Hash: F0E0D8A4B18A9682FF14DB11E8802B663A0AF58350F4C4039DD8DD7791EE3CE16DCB10

Function 00007FF65708A830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32 ref: 00007FF65708A839

Strings

d:\a\wix4\wix4\src\burn\engine\variable.cpp, xrefs: 00007FF65708A861
Failed to set variant value., xrefs: 00007FF65708A850

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: Failed to set variant value.$d:\a\wix4\wix4\src\burn\engine\variable.cpp
API String ID: 95929093-2731189036
Opcode ID: 5f210d7b2d89e8e477a15f0564f887c0e2e7e443ad61579b0c31903b7815b04c
Instruction ID: 23962c396695cc94f99bee11218484f425494c2b72f84a220f32c553292cecfd
Opcode Fuzzy Hash: 5f210d7b2d89e8e477a15f0564f887c0e2e7e443ad61579b0c31903b7815b04c
Instruction Fuzzy Hash: 94E092A4B18A9682FB149B11E8802B663A0AF58340F4C0039DD8DD7791DF3CE15DCB40

Function 00007FF6570A028C Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6570891E3,?,?,00000000,00007FF657089AC8), ref: 00007FF6570A02A6
CloseHandle.KERNEL32(?,?,?,00007FF6570891E3,?,?,00000000,00007FF657089AC8), ref: 00007FF6570A02B9
CloseHandle.KERNEL32(?,?,?,00007FF6570891E3,?,?,00000000,00007FF657089AC8), ref: 00007FF6570A02CC
CloseHandle.KERNEL32(?,?,?,00007FF6570891E3,?,?,00000000,00007FF657089AC8), ref: 00007FF6570A02DF

Memory Dump Source

Source File: 00000000.00000002.1716194608.00007FF657081000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF657080000, based on PE: true

Associated: 00000000.00000002.1715987073.00007FF657080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1717665063.00007FF6570FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718727081.00007FF657136000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657139000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718750872.00007FF657140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff657080000_VmjvNTbD5J.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 248a4677ca020e95ef84e429e29d9649a36739842d52bb2f7058107c3b1b520b
Instruction ID: 0d8c5bb24bd3bf75ba667bd24b03a343b3c18fec6bcc6f0d6a5fba45809829f7
Opcode Fuzzy Hash: 248a4677ca020e95ef84e429e29d9649a36739842d52bb2f7058107c3b1b520b
Instruction Fuzzy Hash: 2B112EB2A06B4981EB548F60D59033973F4EF54FA8F590325CA6D965D8CF78D898C344

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VmjvNTbD5J.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6c4cbe36

C:\Users\user\AppData\Local\Temp\82eb896d

C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.cleanroom.log

C:\Users\user\AppData\Local\Temp\Acupressure_20250109084342.log

C:\Users\user\AppData\Local\Temp\EKU_Make_debug_v4.exe

C:\Users\user\AppData\Local\Temp\toxpkftoidctr

C:\Users\user\AppData\Local\Temp\wkvxqcae

C:\Users\user\AppData\Local\Temp\yirxmaoe

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WCUtil.dll

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\WebCopier.exe

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\cathedra.wmv

C:\Users\user\AppData\Roaming\ChromeQuick_DVBv5\necropsy.eml

C:\Windows\Temp\{183D20FC-2635-447B-B387-8CCFB1626C88}\.cr\VmjvNTbD5J.exe

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\BootstrapperApplicationData.xml

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\BundleExtensionData.xml

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\Pedlary.dll

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WCUtil.dll

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\WebCopier.exe

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\cathedra.wmv

C:\Windows\Temp\{AB6ED4D2-8A43-42EF-89A9-2D0F6A021EFE}\.ba\necropsy.eml

Static File Info

Windows Analysis Report
VmjvNTbD5J.exe

Function 00007FF657090238 Relevance: 88.1, APIs: 24, Strings: 26, Instructions: 582
fileCOMMON

Function 00007FF6570872AC Relevance: 65.2, APIs: 19, Strings: 18, Instructions: 454
fileCOMMON

Function 00007FF657089464 Relevance: 49.4, APIs: 4, Strings: 24, Instructions: 441
COMMON

Function 00007FF65709EB98 Relevance: 35.4, APIs: 2, Strings: 18, Instructions: 360
sleepregistryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre